Attackers are increasingly exploiting exposed GitHub Personal Access Tokens to access GitHub Action Secrets and pivot into enterprise cloud environments, according to new research from Wiz, reports InfoWorld.The Wiz Customer Incident Response Team found that many organizations assume private GitHub repositories are secure, even though 73 percent store cloud service provider credentials in GitHub Action Secrets. When a PAT is compromised, threat actors can impersonate developers, explore repositories and workflows, and locate secret references embedded in code, then use them to access AWS, Azure, GCP, or other cloud platforms. Erik Avakian of Info-Tech Research Group said a valid PAT acts like a backstage pass, enabling attackers to deploy resources, steal data, install malware, and establish persistence.Wiz warned that these activities are hard to detect because GitHub API searches are not logged and workflows run from trusted infrastructure. Experts urged enterprises to treat PATs as privileged credentials, enforce least privilege, rotate and expire tokens, move cloud secrets out of workflows, and strengthen monitoring and developer security practices.
Cloud Security, DevOps
GitHub tokens used to breach cloud environments

(Adobe Stock)
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



