‼️ BREAKING: New research shows you can copy any signed GitHub commit into a second one that looks identical, without the author's secret key, creating a distinct commit with an identical tree, identical metadata, a valid signature, and a "Verified" badge from GitHub.
On GitHub, a green "Verified" badge is supposed to mean two things: a trusted author signed it, and its ID is a one-of-a-kind fingerprint for that exact code. A new Carnegie Mellon preprint from Jacob Ginesin says the second promise, the unique fingerprint, does not hold.
Why it matters: security teams and package systems (behind tools like Go, Nix, and GitHub Actions) trust that ID as a unique handle for code. Block or pin the "bad" version, and an attacker can re-issue the same signed code under a fresh, still-verified ID that slips past. The author says Git and GitHub have not fixed it.
PoC: https://t.co/b2CevCtpcd
まぁそうなるよねと思いつつ、素人リサーチ w/ AI は、コンサル不要な程正確なのか?恣意的にならないのか?網羅的な結果を出せるのか?などとても疑問。もしかすると、そもそも正確なリサーチなど必要なく、仮説を後押ししてくれるようなそれっぽいリサーチなら何でも良かったのかという気もする。
https://t.co/Oq5qQxZcP2
MariaDB Community Serverに複数の脆弱性が見つかり、うち1件はCVSSスコア10.0の最高評価を受けた。
最も深刻な脆弱性は「CVE-2026-49261」で、CVSS基本値は10.0。詳細な技術情報は現時点で公開されていない。
このほか、「CVE-2026-48165」と「CVE-2026-48163」の2件もCVSS 8.0の高リスク脆弱性として報告された。対象となるのはMariaDB Community Server 11.8.8未満、11.4.12未満、10.11.18未満、10.6.27未満の各バージョン。
記事では、これらの問題への対策として、ベンダーが提供する保守アップデートを速やかに適用することを推奨している。また、クエリログを継続的に監視し、不審な管理操作の兆候を早期に検知することも勧めている。
https://t.co/Pr55v6Wvr4
Introducing Daybreak: frontier AI for cyber defenders.
Daybreak brings together the most capable OpenAI models, Codex, and our security partners to accelerate cyber defense and continuously secure software.
A step toward a future where security teams can move at the speed defense demands.
⚠️ Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse
Source: https://t.co/ewHl9UnrRn
Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.
Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.
This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.
#cybersecuritynews #Azure
🚨 BREAKING: Wiz Research discovered Remote Code Execution on https://t.co/SvN2lGsnbO with a single git push
The flaw in @github allowed unauthorized access to millions of repositories belonging to other users and organizations 🤯