Techly NewsGet the app

Get the latest tech news

Weaponizing Dependabot: Pwn Request at its finest


Learn how Dependabot can be co-opted to exploit some sensitive workflows, through the Confused Deputy Problem and branch name injections.

This is essentially could be considered a variant of Pwn Request without RCE (if you're not familiar, check out our previous article called Exploiting CI/CD with Style(lint): LOTP Guide). BoostSecurity's research team (plus some clever folks during a Hackathon we organized) uncovered not one, but two unique sneaky ways to achieve this kind of injection - this is a previously undisclosed TTP we've had to develop in the fall of 2024 as it was key in several high-profile Bug Bounty responsible disclosures: Dependabot can sometimes be quick, but merges taking 20+ seconds have been observed – plenty of time for a swift push - we've successfully used the ActionsTOCTOU tool for this kind of scenario.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Dependabot

Dependabot

Photo of pwn request

pwn request

Related news:

News photo

Hackers are spoofing themselves as GitHub's Dependabot to steal user passwords

News photo

GitHub repos bombarded by info-stealing commits masked as Dependabot

« What you need to know about EMP weapons
LiveScore group censured by ASA over ads shown to minors »