Microsoftβs Copilot AI assistant is exposing the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent and, ironically, Microsoft.
These repositories, belonging to more than 16,000 organizations, were originally posted to GitHub as public, but were later set to private, often after the developers responsible realized they contained authentication credentials allowing unauthorized access or other types of confidential data. Even months later, however, the private pages remain available in their entirety through Copilot.
AI security firm Lasso discovered the behavior in the second half of 2024. After finding in January that Copilot continued to store private repositories and make them available, Lasso set out to measure how big the problem really was.
GitHub has announced a slew of updates for Copilot, while also giving a glimpse into a more agentic future for its AI-powered pair programmer. Among the notable updates includes a feature called Vision for Copilot, which allows users to attach a screenshot, photo, or diagram to a chat, with Copilot generating the interface, code, and [β¦]
Code updates to a government database that helps track whether a federal program to get children ready for school at age five is actually working show software engineers are purging it of references to "forbidden words" related to DEI.
The updates, shown in Github commits, are to a database for the Department of Health and Human Servicesβ Head Start program. They show a project called βRemove-DEI,β which reveal some of the back-and-forth that is happening behind the scenes to align federal agencies with Donald Trumpβs executive orders that forbid almost anything having to do with race or gender within federal agencies. The Github pages show software engineers discussing amongst themselves how to best remove all instances of βforbidden wordsβ from a specific database, and the code updates they used to do it. The changes also show that, while thousands of government datasets are disappearing from the internet, even ones that remain are having parts of their utility deprecated or broken in a way that may not be visible to those outside the government.
The Office of Head Start is a government agency that spends roughly $12 billion per year to get families and children between birth and age five ready to succeed in schools, with a special focus on providing and administering grants to groups that provide assistance for βAmericaβs most vulnerable young children.β Head Start centers were briefly impacted by Trumpβs spending freeze, leading centers to worry about making payroll.Β
π‘
Are you a federal worker or contractor? Using a non-work device, you can message me securely on Signal at +1 202 505 1702. Otherwise, send me an email at [email protected].
The changes show that the U.S. government or people working on its behalf are not just manually deleting references to diversity, equity, inclusion, and accessibility (DEIA) but are also writing and tweaking code to remove references to DEI in a more blunt-force way. The HHS change is emblematic of hundreds that 404 Media has reviewed in recent days. At HHS, a recent GitHub commit details a project called βRemove-DEIβ which removes the ability to search or filter in this HeadStart for information on how well programs that target βfamilies affected by systemic discrimination/bias/exclusionβ are actually working.
This specific database is behind a government login wall, but allows government employees to search for information about grants and programs that had a focus on βEquityβ and had a target population of βChildren/Families affected by systematic discrimination/bias/exclusion.βΒ
Code in the database was tweaked to remove the ability to search or filter according to these terms. A description of the change explained on Github reads βReview the option for equity: Removal of the equity topic from the topic drop down, removal of the equity topic from all filters, Removal of the DEIA standard goal, βFamilies affected by systemic discrimination/bias/exclusionβ removes as a target population.βΒ
The coder also explains that they tweaked how topics are filtered in the database as a way of βmaking sure that when we mark a topic as deleted, it is removed from all the relevant places.βΒ
The coder asked their colleagues to βconfirm equity has been removed from the places above. I ask also that you scan the website for other places where we need to remove the forbidden words.β The code was written by employees at a company called Ad Hoc LLC, a government contractor that works with HHS on the database. Ad Hoc is being paid $7.2 million to manage the database, according to federal records.
Ad Hoc was created in the aftermath of the HealthCare.gov launch debacle, and describes itself as βa digital services company that helps the federal government better serve people.β Ad Hoc declined to comment.
HHS told 404 Media that it is not allowed to comment: "HHS has issued a pause on mass communications and public appearances that are not directly related to emergencies or critical to preserving health. This is a short pause to allow the new team to set up a process for review and prioritization. There are exceptions for announcements that HHS divisions believe are mission critical, but they will be made on a case-by-case basis.β
The tweak is one of hundreds that have been revealed across government via Githubβs commit tracking, which shows version changes to code, websites, and other projects managed on the site. It also gives insight into how the hundreds of websites and datasets being deleted are actually being purged. WIREDreported earlier Monday that the federal government is now using scripts to forcibly remove gender pronouns from federal employee email signatures.
18F is a much-hyped government agency within the General Services Administration that was founded under the Obama Administration after the disastrous rollout of Healthcare.gov. It more or less had the specific goal of attracting Silicon Valley talent to the federal government to help the government innovate and make many of its websites and digital services suck less. It is one of the βcoolerβ federal agencies, and has open sourced many of its projects on GitHub.
GitHub is a website for open source development that shows changes across different βcommits,β or changes to code and documentation. In the first days of the Trump administration, 18Fβs commit list is full of change logs detailing the administrationβs attempts to destroy the concept of diversity, equity, and inclusion.Β
The changes show that in the last 48 hours, 18F has edited text and wholesale deleted both internal and external web pages about, for example βInclusive behaviors,β βhealthy conflict and constructive feedback,β βDEIA resources,β and βDiversity, equity, inclusion, and accessibility.β It deleted a webpage about βpsychological safetyβ (which now 404s) deleted all information about the βDE&I leadsβ at the agency, as well as language for employees that said "Anyone who has issues or concerns related to inclusion or equity in the 18F engineering chapter should feel empowered to reach out to the DE&I Leads.β It has deleted, in various places, the word βinclusion,β as well as the term βaffinity groups.βΒ
It also deleted an internal Slack Bot called βInclusion Bot,β which is described as being βintegrated into Slack and passively listens for words or phrases that have racist, sexist, ableist, or otherwise exclusionary or discriminatory histories or backgrounds. When it hears those words, it privately lets the writer know and offers some suggested alternatives.βΒ
π‘
Do you work for the federal government? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +1 202 505 1702. Otherwise, send me an email at [email protected].
It has also notably deleted information intended for improving accessibility for blind and visually impaired employees, which asked employees to use βvisual descriptionsβ when introducing themselves on Zoom meetings.
In a hiring document, the language βTeams should consider factors of equity and complexity of the research when determining compensation for participants on their projectβ has been changed to βteam should consider other factors or complexity of the research.β
Microsoft CEO Satya Nadella has announced a dramatic restructuring of the company's engineering organization, which is pivoting the company's focus to developing the tools that will underpin agentic AI.
Dubbed "CoreAI - Platform and Tools," the new division rolls the existing AI platform team and the previous developer division (responsible for everything from .NET to Visual Studio) along with some other teams into one big group.
As for what this group will be doing specifically, it's basically everything that's mission-critical to Microsoft in 2025, as Nadella tells it:
GitHub is Microsoft's code-hosting platform that lets users collaborate on open-source projects.
GitHub has a free version, and several tiers of paid subscription versions.
GitHub is extremely popular among software developers, and is used by most Fortune 100 companies.
If you're interested in software or software development, you've likely heard of GitHub.
For a coder, GitHub is akin to what Pinterest offers to an interior designer β a place where a person goes not just to upload content, but also for creative inspiration and collaboration.
The company bills itself as the world's leading software development platform, and says over 100 million developers use GitHub, as well as 90% of Fortune 100 companies.
GitHub is owned by Microsoft. The company was founded in 2007, but Microsoft acquired it in 2018 for $7.5 billion in stock, and Microsoft's CEO said at the time that the deal would "strengthen our commitment to developer freedom, openness and innovation."
GitHub has also recently integrated Copilot, Microsoft's AI tool. CEO Satya Nadella said in a July 2024 Microsoft earnings call that Copilot is "by far the most widely adopted AI-powered developer tool," and is responsible for 40% of GitHub's revenue growth.
GitHub's annual revenue run rate is now $2 billion, thanks to Copilot and GitHub's premium subscriptions.
Here's what you need to know about GitHub and how it relates to coding.
What is GitHub?
Microsoft CEO Satya Nadella has said the Copilot AI tool is responsible for 40% of GitHub's growth.
Associated Press/Dita Alangkara
GitHub is, fundamentally, a hosting platform for coders. The cloud-based service allows coders to effectively manage and maintain open-source programming projects while collaborating with others.
To understand how GitHub works, you have to have an understanding of "Git" and the idea of "version control" in relation to Git.
Git, started by Linux creator Linus Torvalds, is an open-source version control system that tracks changes in files over time.
Version control is an important system when it comes to coding. It enables coders to be nimble with programming, and allows for apps to constantly have new version releases, expansion to other platforms, and bug fixes, among other tracked changes.
Version control systems like Git help maintain the integrity and security of ever-evolving code by safeguarding modifications, and those revisions are then hosted by GitHub, or an alternative "repository" hosting service β although GitHub is the most popular among developers.
This allows developers to easily collaborate, allowing them to download a new version of the software, make changes, and upload the newest revision. Every developer can see these new changes, download them, and contribute.
There are disadvantages to Github, too. GitHub users have been vocal in the past about complaints with the platform; some say GitHub is expensive, buggy, and insufficient for large teams.
Is GitHub free to use?
GitHub has a free version with limited bandwidth and storage, and two paid versions. The Team subscription is geared towards individuals and organizations seeking "advanced collaboration" options, and costs $4 per user per month.
The Enterprise subscription costs $21 per user per month, and has the same advantages as Team, plus a host of other advanced features, greater security, and premium support services.
How to start using Github
If you're looking for a resource to maintain and share code, you can easily install Git and sign up for GitHub for free. Here's how to get started:
1. First, you'll need to install the Git version control system, which you can download for free. Follow the directions specific to the device you're using.
2. Next, you can create your GitHub account at GitHub.com. A free account will have some limitations, but gives you access to both public and private repositories.
Once you've downloaded Git, enter your email address and create a username and password for your GitHub account.
Michelle Mark/Business Insider
3. With your free account, you can get started right away and create a repository by clicking Create a repository on the GitHub homepage to start a new project.
You can create a repository, explore existing repositories, or watch an introduction to GitHub video through this page.
Michelle Mark/Business Insider
From the same page, you can also access learning materials like a "What is GitHub?" video or an exercise in GitHub flow if you need more expertise before getting started with creating a repository.
Welcome back to Week in Review. This week, weβre looking at OpenAIβs last β and biggest β announcement from its β12 Days of OpenAIβ event; Appleβs potential entrance into the foldable market; and why Databricks is choosing to wait to go public. Letβs get into it. P.S. Weβre off for the holidays! Week in Review [β¦]
Microsoft-owned GitHub announced on Wednesday a free version of its popular Copilot code completion/AI pair programming tool, which will also now ship by default with Microsoftβs popular VS Code editor. Until now, most developers had to pay a monthly fee, starting at $10 per month, with only verified students, teachers, and open source maintainers getting [β¦]
A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.
The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.
Unusual longevity
The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month.
The open source funding problem is very real, but a slew of initiatives have emerged of late, with startups, corporations, and venture capitalists launching various programs to support some of the most critical projects via equity-free financing. Today itβs GitHubβs turn, launching the GitHub Secure Open Source Fund with an initial commitment of $1.25 million [β¦]
