Cloud Security, DevOps

GitHub tokens used to breach cloud environments

The GitHub logo is displayed on a smartphone screen

Attackers are increasingly exploiting exposed GitHub Personal Access Tokens to access GitHub Action Secrets and pivot into enterprise cloud environments, according to new research from Wiz, reports InfoWorld.

The Wiz Customer Incident Response Team found that many organizations assume private GitHub repositories are secure, even though 73 percent store cloud service provider credentials in GitHub Action Secrets. When a PAT is compromised, threat actors can impersonate developers, explore repositories and workflows, and locate secret references embedded in code, then use them to access AWS, Azure, GCP, or other cloud platforms. Erik Avakian of Info-Tech Research Group said a valid PAT acts like a backstage pass, enabling attackers to deploy resources, steal data, install malware, and establish persistence.

Wiz warned that these activities are hard to detect because GitHub API searches are not logged and workflows run from trusted infrastructure. Experts urged enterprises to treat PATs as privileged credentials, enforce least privilege, rotate and expire tokens, move cloud secrets out of workflows, and strengthen monitoring and developer security practices.

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds