Many top-level open source projects found leaking GitHub auth tokens

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Many top-level open source projects have been found leaking GitHub auth tokens, putting entire projects at risk of data theft and malicious code tampering.

Cybersecurity researchers from Unit 42 discovered the mishap and reported it to both GitHub and corresponding project owners - however GitHub said it wouldn’t be addressing the issue, and that the security of auth tokens lies solely with project owners.

Unit 42 said it found open source projects from the likes of Google, Microsoft, and AWS, leaking GitHub authentication tokens through GitHub Actions artifacts in CI/CD workflows. Should a malicious actor find these tokens, they could use them to access private repositories, steal source code, or even tamper with it, turning legitimate projects into malware.

Multiple payloads

That being said, Unit 42 says issues such as risky default settings, user misconfiguration, and insufficient security checks, are at the heart of the problem.

One issue resides in the ‘actions/checkout’ action which, by default, keeps the GitHub token in the local .git directory (hidden), since it’s required for authenticated operations. But if a developer uploads the complete checkout directory for any reason, they will inadvertently expose the GitHub token inside the .git folder.

More details about the different risk factors Unit 42 discovered can be found on this link.

In total, the researchers found 14 open source projects, belonging to major organizations, whose GitHub tokens are being exposed. They reported their findings to each one:

Firebase (Google)
OpenSearch Security (AWS)
Clair (Red Hat)
Active Directory System (Adsys) (Canonical)
JSON Schemas (Microsoft)
TypeScript Repos Automation, TypeScript Bot Test Triggerer, Azure Draft (Microsoft)
CycloneDX SBOM (OWASP)
Stockfish
Libevent
Guardian for Apache Kafka (Aiven-Open)
Git Annex (Datalad)
Penrose
Deckhouse
Concrete-ML (Zama AI)

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
Shadowed hands on a digital background reaching for a login prompt.
This worrying Git flaw could lead to users leaking credentials
hacker.jpeg
Thousands of GitHub repositories exposed via Microsoft Copilot
Data Breach
Thousands of widely-used public workspaces are leaking data
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
GitHub Webpage
GitHub has a major problem with fake rankings, which could put users at risk of attack
Latest in Security
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
Latest in News
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
The Steam Logo on a mobile phone in front of a wall of games.
Today’s Steam Spring Sale features my absolute favorite game of all time - here's when the sale starts and all the key info
Apple iPhone 16 Pro Max REVIEW
The latest iPhone 17 Pro Max leak may have given us another look at its upcoming redesign
Half-Life running on a smartwatch
This Redditor installed a game engine on their smartwatch, and now it runs Doom, Quake, and Half-Life
Samsung Galaxy Z Fold 6
The Samsung Galaxy Z Fold 7 could be in line for a Galaxy S25 Ultra-level camera upgrade