Security Experts:

Connect with us

Hi, what are you looking for?



DeepSource Says Hackers Compromised Its GitHub Application

Automated code review tool provider DeepSource this week announced that it reset tokens, secrets, private keys, and employee credentials after being informed that its GitHub application was compromised.

Automated code review tool provider DeepSource this week announced that it reset tokens, secrets, private keys, and employee credentials after being informed that its GitHub application was compromised.

Designed to help developers identify security flaws, bug risks, and performance issues during code review, DeepSource also provides integration with GitHub to allow app authors get started with code analysis fast.

On Tuesday, DeepSource announced that, on July 11, the GitHub Security Team informed them of potentially malicious activity related to the DeepSource GitHub application, and that precautionary measures to limit potential access to resources were taken immediately.

“By 7AM UTC, we had rotated all user tokens, client secrets and private keys. Since we didn’t know the origin of the attack, we also rotated all credentials and keys of employees who had access to production systems. Through internal investigation, we have not identified any unusual breach or behaviour, and have concluded that the DeepSource infrastructure has not been breached,” the startup announced.

Starting mid-June, the GitHub Security team observed numerous requests from unusual IP addresses for DeepSource users, but was not sure that a compromise had occurred, despite the anomalous traffic.

Following a deeper investigation, however, GitHub determined that hackers managed to compromise the GitHub account of one of DeepSource’s employees, as part of the Sawfish phishing campaign that was detected earlier this year.

Thus, the attackers managed to access credentials for the DeepSource GitHub app, the startup says.

“Unfortunately, GitHub’s privacy policy prevents them from sharing the affected user list with us, so we are disclosing this issue publicly while waiting for GitHub to complete their investigation. Our understanding is GitHub will notify the directly affected users as per their policies,” DeepSource notes.

Users who would like to receive additional information on repository downloads and other account activity to identify suspicious behavior can head to this page and ask GitHub for the necessary logs.

DeepSource says that it has already engaged with industry security advisors and that it has taken measures to improve policies and security, including through conducting security training for its employees.

“Additionally we have started work towards gaining the SOC 2 Type 2 compliance certification, which will provide a path for third party auditors to ensure that DeepSource’s security practice exceeds industry standards,” the company announced.

To further improve security, DeepSource plans on launching a bug bounty program in the near future, to identify weaknesses in its assets, even if this incident is not the result of a vulnerability in the DeepSource application itself.

The startup also sent notifications to all of its users via email to inform them about the security incident.

Related: GitHub Warns Users of Sophisticated Phishing Campaign

Related: Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak

Related: Hackers Accessed, Downloaded Twitter User Data in Recent Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.