Cannot Depend on Dependabot: Found Contributing Malicious Code

Threat actors meticulously fabricated commit messages to mimic Dependabot’s automated contributions to mask the malevolent activities they were indulging in. Between July 8 and July 11, an unidentified threat actor began compromising a multitude of GitHub repositories, affecting both public and private sectors, with a significant number of victims originating from Indonesia. The attackers skillfully manipulated commit messages, leading developers to believe that the real Dependabot had made these contributions.