SPIN Unprocessed July 8, 2026 ai_technology cybersecurity
GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures
View original on thehackernews.comOverview
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters
SpinGraph analysis pending — check back after processing.
Ask AI about this story
Opens with the SpinGraph .md URL and structured context — one click, prompt included.
More from The Hacker News
View all →- GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
- The Verification Step Is the New ATO Battleground in 2026
- SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
- New Ghost Phishing Wave Is Breaking Traditional Email Security
- Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
- New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware
Markdown (.md) · JSON-LD schema (.json) · Machine-readable for AI & GEO