New Research: A "Verified" GitHub Commit Is NOT Unique
Summary
A new preprint by Jacob Ginesin reveals that verified GitHub commits can be manipulated to produce multiple valid signatures with different hashes, undermining the assumption of uniqueness and affecting supply-chain security.
View Cached Full Text
Cached at: 07/07/26, 10:21 PM
Similar Articles
@IntCyberDigest: BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the …
New research from Carnegie Mellon shows that it's possible to create a distinct signed commit that appears identical to any existing signed commit, with a valid signature and GitHub 'Verified' badge, undermining the uniqueness of commit hashes as cryptographic fingerprints.
Git Hash Chain Malleability
A research paper reveals that Git commit hashes can be malleated to produce a second valid commit with a different hash but identical content and valid signature, undermining trust in commit hash integrity and supply-chain security.
GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos
Noma Labs discovered a critical prompt injection vulnerability in GitHub's Agentic Workflows, allowing unauthenticated attackers to exfiltrate data from private repositories by posting a crafted GitHub issue in a public repository of the same organization.
Megalodon: Mass GitHub Repo Backdooring via CI Workflows
A security research reveals a technique named Megalodon for mass backdooring of GitHub repositories by exploiting CI workflows.
Inside Ghostcommit: How Malicious PNGs Bypass AI Code Reviewers
Ghostcommit is a novel supply chain exploit that uses malicious PNG images containing text instructions to bypass AI code reviewers, leading to data exfiltration from developer environments.