Black & White Path
Jul 11, 2026 · Information Security
GitHub Verified Badge Malleable: Same Code Yields Multiple Valid Commit Hashes
Jacob Ginesin of Carnegie Mellon discovered that GitHub’s “Verified” badge can be forged through signature malleability, allowing an attacker to create a second commit with identical tree and timestamp but a different hash, breaking the assumption that commit hashes are immutable identifiers for many downstream systems.
GitHubVerified badgegit
0 likes · 8 min read
