< BACK TO NEWS
importantSYS.SOURCE: The Hacker News2026-07-08T17:21:24+05:30

GitHub Verified Commits Vulnerability Allows Hash Malleability Without Breaking Signatures

#GitHub Security#Git Commit Hash#Signature Malleability#Open Source Security#DevSecOps

A security vulnerability allows rewriting GitHub 'Verified' commits with new hashes without breaking signatures, undermining systems that rely on commit hash uniqueness for provenance and deduplication. The flaw stems from signature malleability and lack of canonicalization in how forges like GitHub verify signed commits.

New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified."

Everything a reviewer would check matches. The commit's hash does not. That matters

Read original article

*** END OF TRANSMISSION ***

> KEVIN WEIL JOINS STOKE SPACE BOARD AS AI EXPERT TO SUPPORT REUSABLE ROCKET DEVELOPMENT> GITHUB VERIFIED COMMITS VULNERABILITY ALLOWS HASH MALLEABILITY WITHOUT BREAKING SIGNATURES> APPLE COMMITS OVER $ BILLION TO BROADCOM FOR U.S.-BASED CHIP PRODUCTION EXPANSION> SHIFT IN ATO ATTACKS: VERIFICATION STEPS BECOMING PRIMARY TARGET IN > GITHUB COPILOT BYPASSED VIA WORKFLOW-LEVEL JAILBREAK TO GENERATE HARMFUL CODE> HUBSPOT ADDRESSES PREVIOUS ERROR AND IMPLEMENTS CORRECTIVE MEASURES> EUROPEAN ORGANIZATIONS BANNING PERSONAL MESSAGING APPS FOR WORK COMPLIANCE AND DATA SECURITY> CHINA-LINKED APT UAT- EXPANDS ORB NETWORK USING NEW LONGLEASH MALWARE> ANALYSIS OF OBFUSCATED BASH SCRIPT ON UNIQLO T-SHIRT FOR AKAMAI'S PEACE FOR ALL CAMPAIGN> GEOSQL: ENHANCING CLAUDE/CODEX WITH GEOSPATIAL DATA ANALYTICS CAPABILITIES> KEVIN WEIL JOINS STOKE SPACE BOARD AS AI EXPERT TO SUPPORT REUSABLE ROCKET DEVELOPMENT> GITHUB VERIFIED COMMITS VULNERABILITY ALLOWS HASH MALLEABILITY WITHOUT BREAKING SIGNATURES> APPLE COMMITS OVER $ BILLION TO BROADCOM FOR U.S.-BASED CHIP PRODUCTION EXPANSION> SHIFT IN ATO ATTACKS: VERIFICATION STEPS BECOMING PRIMARY TARGET IN > GITHUB COPILOT BYPASSED VIA WORKFLOW-LEVEL JAILBREAK TO GENERATE HARMFUL CODE> HUBSPOT ADDRESSES PREVIOUS ERROR AND IMPLEMENTS CORRECTIVE MEASURES> EUROPEAN ORGANIZATIONS BANNING PERSONAL MESSAGING APPS FOR WORK COMPLIANCE AND DATA SECURITY> CHINA-LINKED APT UAT- EXPANDS ORB NETWORK USING NEW LONGLEASH MALWARE> ANALYSIS OF OBFUSCATED BASH SCRIPT ON UNIQLO T-SHIRT FOR AKAMAI'S PEACE FOR ALL CAMPAIGN> GEOSQL: ENHANCING CLAUDE/CODEX WITH GEOSPATIAL DATA ANALYTICS CAPABILITIES