Checkmarx warned against a new supply-chain attack that involves spoofing metadata commits to deceive GitHub developers into using malicious code. Commits are essential components in the GitHub system and have a unique hash or ID. Fake commits can be automatically generated and added to the user’s GitHub activity graph, pretending as if they have been active on the code hosting platform for a very long time.