In the latest attack to target software supply chains, attackers managed to slip in malicious code updates to hundreds of GitHub repositories by using stolen passcodes to commit changes and then used the name of a well-known tool, Dependabot, to convince developers to accept those updates. The campaign abused stolen personal access tokens (PATs) — security credentials used to verify the authenticity of a code update — to check code into the GitHub repositories, using a known technique to spoof the name of the contributor, according to an advisory published Sept.

Source: Dark Reading: Cloud