{"id":3270,"date":"2025-05-21T10:00:00","date_gmt":"2025-05-21T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3270"},"modified":"2025-05-21T10:00:00","modified_gmt":"2025-05-21T10:00:00","slug":"github-package-limit-put-law-firm-in-security-bind","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3270","title":{"rendered":"GitHub package limit put law firm in security bind"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A $1 billion law firm last week learned a critical cybersecurity lesson: Even something as innocuous as the ceiling on the number of packages allowed in GitHub can increase an enterprise\u2019s threat profile by undercutting the least privilege principle.<\/p>\n<p>When the problem was initially discovered early this month, it presented the consulting firm handling the application issue for the law firm with a seemingly impossible dilemma.<\/p>\n<p>Scott Bellware, co-CEO of BrightWorks Digital, which was doing the work for its law firm client, said the problem cropped up when the BrightWorks team was trying to handle a file transfer.<\/p>\n<p>\u201cWe discovered a 500-package limit for GitHub packages for any user other than an organizational admin. As a result, only people with organizational admin privileges can install all packages,\u201d <a href=\"https:\/\/www.linkedin.com\/posts\/scottbellware_the-story-of-how-microsoft-has-exposed-our-activity-7328158262422360064-NXq6\/\" target=\"_blank\" rel=\"noopener\">Bellware wrote in a LinkedIn post<\/a>. \u201cThose without those privileges can only install the first 498 packages. New packages, of course, represent new work. New work, which a significant share of what the team is doing, is stopped in its tracks. The cost of this is understandably eye-watering.\u201d<\/p>\n<p>After trying various work-arounds, Bellware\u2019s team realized the most practical solution would violate least privilege: \u201cOur only option is to give organizational admin privileges to every single contributor on our team of 25+ people. The security implications of this are shocking,\u201d Bellware wrote.\u00a0<\/p>\n<p>Making the situation worse was BrightWorks\u2019 initial interactions with support for GitHub, which has been owned by Microsoft since 2018.<\/p>\n<p>\u201cAfter filing a critical support ticket with GitHub, we received a message days later informing us that the person to whom this matter could be escalated has been out of the office,\u201d Bellware wrote. \u201cLiterally one single person to whom a critical support matter could be escalated out of the entirety of the GitHub technical staff.\u201d<\/p>\n<p>But Bellware never had to make that security compromise because he reached out to the Microsoft VP in charge of developer communities, Scott Hanselman, who Bellware had known for 25 years.<\/p>\n<p>Hanselman assigned the matter to <a href=\"https:\/\/github.com\/martinwoodward\" target=\"_blank\" rel=\"noopener\">Martin Woodward<\/a>, GitHub\u2019s VP of developer relations, who was hired by Hanselman, Bellware said.\u00a0<\/p>\n<p>Within a day of the request, GitHub increased the accessible package limit to 1,000 \u201cfor team members who are not organizational admins,\u201d Bellware said, adding that Microsoft told him that it is working on a permanent fix to the issue and would be releasing it \u201csoon.\u201d<\/p>\n<p>One Microsoft official confirmed the details, but would not speak on-the-record about what happened.\u00a0<\/p>\n<p>Still, Microsoft\u2019s unusually fast action helped BrightWorks and its law firm client avert a difficult cybersecurity tradeoff.\u00a0<\/p>\n<h2 class=\"wp-block-heading\">Value of vendor relationships<\/h2>\n<p>In an interview with CSO, Bellware said that when the package limit was set quite some time ago, it was not considered likely that many would need to exceed the 500-package ceiling. Current development efforts, however, are making that more of an issue.\u00a0<\/p>\n<p>Discussing why they need so many packages, Bellware said there are many ways enterprises can use packages. \u201cYou can have a large number of packages because you are incredibly disorganized or because you are incredibly organized,\u201d Bellware told CSO. \u201cWe use packages in the way that we are supposed to use them, to track units of deployment.\u201d<\/p>\n<p>The problem started on May 7 when Bellware\u2019s team released its packages to the GitHub package repository. \u201cThey turned around and attempted to install the packages in server environments\u201d when they discovered that only one team member \u2014 the sysadmin \u2014 could do it.<\/p>\n<p>The law firm project was beyond 500 packages, but not materially more, with Bellware estimating that they needed access for about a dozen more packages.\u00a0<\/p>\n<p>\u201cWe experimented with a temporary way to free up some space\u201d and it involved \u201cunpublishing some packages that we knew were not going to be installed anytime soon,\u201d Bellware said.\u00a0<\/p>\n<p>According to Bellware, GitHub representatives said they are working on major changes so the doubled-ceiling fix is only temporary. \u201cInstead of trying to make a permanent repair to something that they knew would be replaced, they just did a temporary patch,\u201d Bellware said.\u00a0<\/p>\n<p>Had he not had a personal connection inside Microsoft, it would have been difficult to get the matter fixed, Bellware said, adding that no one at Microsoft or GitHub knew who the client was until the very end. \u201cTo get something done with Microsoft, you need to be willing to do something public about it,\u201d Bellware advised.\u00a0<\/p>\n<p>The package limit \u201cwas there for a purpose and it ended up interfering \u2014 accidentally \u2014 with our purpose,\u201d he said.<\/p>\n<p>The incident is a good reminder that creating something that seems rational and reasonable, such as setting a limit of the number of packages that anyone other than a sysadmin can handle, can deliver unexpected consequences that can derail cybersecurity protections.<\/p>\n<p>For CISOs, it also shows the value of <a href=\"https:\/\/www.csoonline.com\/article\/572659\/secrets-to-a-building-a-healthy-ciso-vendor-partnership.html\">strong vendor relationships<\/a>, as going public with security-related problems isn\u2019t always a viable option.<\/p>\n<p>More by Evan Schuman:<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3963288\/the-most-dangerous-time-for-enterprise-security-one-month-after-an-acquisition.html\">The most dangerous time for enterprise security? One month after an acquisition<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3819170\/nearly-10-of-employee-gen-ai-prompts-include-sensitive-data.html\">Nearly 10% of employee genAI prompts include sensitive data<\/a><\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3820042\/the-solarwinds-4-4-billion-acquisition-gives-cisos-what-they-least-want-uncertainty.html\">The SolarWinds $4.4 billion acquisition gives CISOs what they least want: Uncertainty<br \/><\/a><\/p>\n<p>&gt;<\/p><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A $1 billion law firm last week learned a critical cybersecurity lesson: Even something as innocuous as the ceiling on the number of packages allowed in GitHub can increase an enterprise\u2019s threat profile by undercutting the least privilege principle. When the problem was initially discovered early this month, it presented the consulting firm handling the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3258,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3270","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3270"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3270"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3270\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3258"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}