Breach404
Back to Insights
Secure Software2 min readJuly 8, 2026

GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures

GitHub's cryptographic commit verification can be bypassed by rewriting commits to generate new hashes while maintaining valid signatures, meaning a "Verified" badge does not guarantee the commit content hasn't been altered. Organizations should not rely

GitHub's cryptographic commit verification can be bypassed by rewriting commits to generate new hashes while maintaining valid signatures, meaning a "Verified" badge does not guarantee the commit content hasn't been altered. Organizations should not rely

Read the full article: https://thehackernews.com/2026/07/github-verified-commits-can-be.html

Could your website be vulnerable to attacks like this?

Run a free 10-point security scan on your site — headers, SSL, DNS, and more. Results in 15 seconds.

Test Your Site Now — It's Free