The GitHub Gold Rush: Why 2025’s Most Devastating Attacks Start in Your Repositories

Listen to this Post

Featured Image

Introduction:

The recent Salesloft breach, as detailed by Mandiant, underscores a critical shift in the cyber threat landscape. Attackers are no longer just targeting perimeter defenses; they are exploiting the very heart of modern development—the GitHub ecosystem. This attack vector provides a direct path to lateral movement, data exfiltration, and massive supply chain compromises, making it a top-tier concern for security teams worldwide.

Learning Objectives:

  • Understand the attack chain used in the Salesloft GitHub compromise.
  • Learn critical commands to audit and secure your GitHub organization and actions.
  • Implement hardening measures for integrated cloud environments like AWS to prevent lateral movement.

You Should Know:

1. Auditing GitHub Organization Members and Access

`gh api graphql -f query=’query { organization(login: “org-name”) { membersWithRole(first: 100) { edges { node { login role } } } } }’` (GitHub CLI)
This GraphQL query, executed via the official GitHub CLI, lists the first 100 members of an organization and their roles. Regularly auditing this list is the first line of defense to identify unauthorized users, such as the “guest user” added by the Salesloft threat actor.

Step‑by‑step guide:

  1. Install the GitHub CLI (gh) on your local machine.
  2. Authenticate with `gh auth login` using an account with appropriate privileges.

3. Replace `org-name` with your organization’s login name.

  1. Run the command to output a list of all members and their roles. Scrutinize this list for any unfamiliar or overly privileged accounts.

2. Enumerating GitHub Actions Workflows

`gh workflow list -a -L 200` (GitHub CLI)

`gh api /repos/OWNER/REPO/actions/workflows` (GitHub CLI API Call)

The threat actor established workflows, which can be used to run malicious code in trusted environments. This command lists all workflows (active and inactive) in a repository, allowing you to audit for any unauthorized or suspicious additions.

Step‑by‑step guide:

  1. Navigate to your local clone of the repository you wish to audit.
  2. Run `gh workflow list -a` to see all workflows. The `-L` flag increases the number of results returned.
  3. For a more detailed JSON output, use the API call gh api /repos/OWNER/REPO/actions/workflows.
  4. Investigate the `.github/workflows/` directory in each repo to manually review the YAML files for any recently added, malicious jobs.

3. Reviewing GitHub Audit Logs with the CLI

`gh api /orgs/ORG/audit-log –method GET -F phrase=’action:org.add_member’ -F order=desc -F per_page=100`
The GitHub audit log is a treasure trove of security data. This command fetches the last 100 log entries where a member was added to the organization, which would have captured the actor’s action in the Salesloft case.

Step‑by‑step guide:

  1. You must be an organization owner to access the audit log.

2. Replace `ORG` with your organization’s name.

  1. The `phrase` parameter filters logs for specific events. Other useful phrases include `action:repo.create` (new repo), `action:team.add_member` (added to team), and `action:oauth_application.create` (new app).
  2. Pipe the output to a file (> audit_log.json) for further analysis or import into a SIEM.

  3. Hardening AWS IAM Roles to Prevent Token misuse

`aws iam simulate-principal-policy –policy-source-arn arn:aws:iam::123456789012:user/DriftApp –action-names sts:AssumeRole iam:CreateAccessKey`

The breach pivoted from GitHub to AWS using compromised OAuth tokens. This AWS CLI command uses IAM’s policy simulation feature to check what actions a specific user (e.g., a GitHub Actions runner) can perform, helping you identify over-permissioned roles before an attacker does.

Step‑by‑step guide:

  1. Ensure you have the AWS CLI configured with sufficient IAM permissions.
  2. Identify the ARN (Amazon Resource Name) of the IAM user or role you want to test.

3. Specify the ARN with `–policy-source-arn`.

  1. Use `–action-names` to test for critical permissions like assuming powerful roles or creating new access keys.
  2. Tighten policies based on the results to adhere to the principle of least privilege.

  3. Scanning for Exposed AWS Keys in GitHub History
    `git log -p –all -S “AKIA” –source –all | grep -E “AKIA[0-9A-Z]{16}”`
    `git log -p –all -S “secret” –source –all | head -50`
    Many breaches start with credentials accidentally committed to a repository. These Git commands scan the entire history of a local repo clone for high-confidence AWS key patterns (AKIA) and the string “secret”.

Step‑by‑step guide:

1. `cd` into the root directory of your local git repository.
2. Run the first command to find any AWS access keys that may have been committed. The `-S` option is a “pickaxe” that searches for changes adding or removing that string.
3. The second command searches for commits that may have added the word “secret”.
4. If any findings are confirmed, rotate the keys immediately and use `git filter-repo` to purge the sensitive data from the repository’s history.

6. Validating OAuth Token Scope and Permissions (Bash/CURL)

curl -H "Authorization: token YOUR_OAUTH_TOKEN" https://api.github.com/applications/YOUR_CLIENT_ID/tokens/YOUR_OAUTH_TOKEN`
The attacker leveraged stolen OAuth tokens. This API call checks the valid scopes and permissions associated with a specific OAuth token, allowing you to verify if a token's permissions are excessively broad.
<h2 style="color: yellow;">Step‑by‑step guide:</h2>
1. This requires the `client_id` of the OAuth application that issued the token.
2. Replace the placeholders with the actual token and client ID.
3. The response will include a JSON payload detailing the `scopes` (e.g.,
repo,admin:org,workflow`) granted to the token.
4. Ensure tokens only have the minimum required scopes for their intended function.

  1. Detecting Unusual API Calls with AWS CloudTrail Lookup
    `aws cloudtrail lookup-events –lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole –start-time 2025-03-01T00:00:00Z –end-time 2025-06-30T23:59:59Z`
    Mandiant noted reconnaissance between March and June. This AWS command queries CloudTrail logs for specific high-risk events like `AssumeRole` within a given time frame, which is crucial for post-incident investigation and threat hunting.

Step‑by‑step guide:

  1. CloudTrail must be enabled in your AWS account for this command to return data.
  2. Adjust the `–start-time` and `–end-time` parameters to your desired investigation window.
  3. Other critical `EventName` values to search for include ConsoleLogin, GenerateCredentialReport, and GetUser.
  4. Export the results to JSON for deeper analysis to identify the source IP and user agent of the calls.

What Undercode Say:

  • The software supply chain is the new endpoint. GitHub has become the primary initial access vector for advanced attackers due to its rich permissions and often lax oversight.
  • Identity is the new perimeter. The seamless integration between SaaS platforms (GitHub -> AWS) is a double-edged sword; a compromise in one instantly compromises the other if identity boundaries are not strictly enforced.

The Salesloft incident is not an anomaly but a blueprint. It demonstrates a sophisticated understanding of modern DevOps pipelines. Attackers are betting that organizations have prioritized feature velocity over security hygiene in their CI/CD environments. The ROI for an attacker is astronomical: access to source code provides a roadmap to the organization’s crown jewels, and integrated OAuth tokens and cloud keys are the master keys to the kingdom. Defenders must shift their focus from traditional network perimeters to identity and access management within their development platforms. Continuous auditing of user access, rigorous secret management, and strict enforcement of least privilege in integrated services are no longer optional.

Prediction:

The success of the GitHub-to-cloud attack vector will catalyze a wave of automated attacks targeting poorly secured CI/CD pipelines throughout 2025 and beyond. We will see the emergence of malware specifically designed to exfiltrate GitHub Actions secrets, OAuth tokens, and cloud credentials. This will lead to an increase in software supply chain poisoning attacks, where attackers inject backdoors directly into the build process of legitimate software, affecting thousands of downstream customers. Organizations that fail to implement granular access controls, mandatory code security reviews, and real-time monitoring for their development platforms will be disproportionately impacted.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Devansh Batham – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky