CyberSecurityBoard
Sponsor Register Login

Commit Stomping - An Offensive Technique Let Hackers Manipulate Timestamps in Git to Alter File Metadata

While not a bug or vulnerability, Commit Stomping exploits Git’s flexibility to rewrite the timeline of code changes, posing significant risks to software supply chain security, incident response, and code audits. Inspired by “timestomping,” a tactic used in offensive cyber operations to alter file metadata, Commit Stomping involves falsifying the timestamps of Git commits to mislead observers about when changes were made. A lesser-known feature of Git, Dubbed “Commit Stomping,” this technique allows users to manipulate commit timestamps, potentially disguising malicious or unauthorized changes in a repository’s history. As software becomes a critical part of the security perimeter, treating Git’s commit history as immutable is no longer safe. In a world where code tells a story, Commit Stomping lets bad actors rewrite the plot. Commit Stomping isn’t a traditional security flaw there’s no patch coming.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 16 May 2025 06:24:57 +0000


Cyber News related to Commit Stomping - An Offensive Technique Let Hackers Manipulate Timestamps in Git to Alter File Metadata

Commit Stomping - An Offensive Technique Let Hackers Manipulate Timestamps in Git to Alter File Metadata - While not a bug or vulnerability, Commit Stomping exploits Git’s flexibility to rewrite the timeline of code changes, posing significant risks to software supply chain security, incident response, and code audits. Inspired by ...
1 month ago Cybersecuritynews.com
Embracing offensive cybersecurity tactics for defense against dynamic threats - In this Help Net Security, Alexander Hagenah, Head of Cyber Controls at SIX, discusses the critical steps in creating effective offensive security operations and their impact on organizational security strategies. The first line of defense is often ...
1 year ago Helpnetsecurity.com
CVE-2020-11008 - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open ...
5 years ago
CVE-2022-24765 - Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder ...
1 year ago
Critical Git vulnerability allows RCE when cloning repositories with submodules - Git is a widely-popular distributed version control system for collaborative software development. It can be installed on machines running Windows, macOS, Linux, and various *BSD distributions. Web-based software development platforms GitHub and ...
1 year ago Helpnetsecurity.com CVE-2024-32002 CVE-2024-32465 CVE-2024-32020 CVE-2024-32021 CVE-2024-32004
What is offensive security? - Offensive security is the practice of actively seeking out vulnerabilities in an organization's cybersecurity. In the past, offensive security referred to methods to actively slow down or to find information about attackers. This is no longer widely ...
1 year ago Techtarget.com
CVE-2022-24826 - On Windows, if Git LFS operates on a malicious repository with a `..exe` file as well as a file named `git.exe`, and `git.exe` is not found in `PATH`, the `..exe` program will be executed, permitting the attacker to execute arbitrary code. This does ...
3 years ago
CVE-2021-43860 - Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions ...
1 year ago
CVE-2024-45405 - `gix-path` is a crate of the `gitoxide` project (an implementation of `git` written in Rust) dealing paths and their conversions. Prior to version 0.10.11, `gix-path` runs `git` to find the path of a configuration file associated with the `git` ...
9 months ago
CVE-2021-23632 - All versions of package git are vulnerable to Remote Code Execution (RCE) due to missing sanitization in the Git.git method, which allows execution of OS commands rather than just git commands. Steps to Reproduce 1. Create a file named exploit.js ...
3 years ago
Hackers ramp up scans for leaked Git tokens and secrets - To mitigate the risks that arise from these scans, it is recommended to block access to .git/ directories, configure web servers to prevent access to hidden files, monitor server logs for suspicious .git/config access, and rotate potentially exposed ...
1 month ago Bleepingcomputer.com Snatch
CVE-2022-41903 - Git is distributed revision control system. `git log` can display commits in an arbitrary format using its `--format` specifiers. This functionality is also exposed to `git archive` via the `export-subst` gitattribute. When processing the padding ...
1 year ago
CVE-2024-31144 - For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.html#object-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories (SRs). The metadata ...
4 months ago Tenable.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
CVE-2020-26233 - Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, ...
4 years ago
CVE-2024-50338 - Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the ...
5 months ago Tenable.com
CVE-2024-35183 - wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-dependent functionality in wolfictl ...
1 year ago
CVE-2023-40590 - GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs ...
1 year ago
CVE-2024-40644 - gitoxide An idiomatic, lean, fast & safe pure Rust implementation of Git. `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account on Windows systems. Windows permits limited user accounts ...
10 months ago
Cobalt's New Report Uncovers a Big Shift in Cybersecurity Strategy - PRESS RELEASE. SAN FRANCISCO, Feb. 14, 2024 /PRNewswire-PRWeb/ - Cobalt, the pioneers of Pentest as a Service, empowering businesses to operate fearlessly and innovate securely, has today announced the release of the inaugural OffSec Shift Report. ...
1 year ago Darkreading.com
Microsoft says it fixed a Windows Metadata server issue that's still broken - Microsoft claims to have fixed Windows Metadata connection issues which continue to plague customers, causing problems for users trying to manage their printers and other hardware. When new hardware is added to a Windows computer, the operating ...
1 year ago Bleepingcomputer.com
CVE-2021-21300 - Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be ...
2 years ago
CVE-2020-5260 - Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials ...
4 years ago
Critical Git Vulnerabilities Discovered During Source Code Security Audit - Two critical vulnerabilities have been discovered in the popular Git version control system during a source code security audit. The vulnerabilities, CVE-2018-17456 and CVE-2018-17457, could both potentially allow a malicious user to overwrite parts ...
2 years ago Securityweek.com
Git Security Breach – Critical Flaws Found - Software vulnerabilities are a serious concern for companies and developers. Recently, prominent source code management service Git, has come under scrutiny after two critical vulnerabilities were discovered, which could have been exploited to ...
2 years ago Securityaffairs.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)