Archived

• [Security firm] Silent Push Threat Analysts followed a tip from Mexican journalist Ignacio Gómez Villaseñor about a threat actor targeting “Hot Sale 2025,” an annual sales event similar to “Black Friday” in the U.S.
• The team pivoted from that Mexico-centric campaign into thousands of websites that broadly targeted a more global audience with abundant waves of fake marketplace scams.
• We identified a private technical fingerprint associated with this infrastructure, which contains Chinese words and characters to strongly indicate that the developers of this network are from China.
• Our analysts observed this threat actor group building multiple phishing websites with pages spoofing well-known retailers, including Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans.
• The threat actor has also been caught abusing online payment services, including MasterCard, PayPal, and Visa, as well as payment security techniques such as Google Pay, across the campaign’s network of scam websites.

[...]

• GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents.
• I scanned every force push event since 2020 and uncovered secrets worth $25k in bug bounties.
• Together with Truffle Security, we're open sourcing a new tool to scan your own GitHub organization for these hidden commits (try it here).