Black & White Path
Jul 15, 2026 · Information Security
GitHub Verified Badge Is Malleable: Identical Code, Multiple Valid Commit Hashes
A Carnegie Mellon PhD student uncovered a fundamental flaw in GitHub's "Verified" badge that lets an attacker, without the signing key, generate a second commit with the same tree, timestamp and a valid signature but a different hash, compromising any system that treats the commit hash as an immutable identifier.
GitGitHubVerified badge
0 likes · 8 min read
