{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/github/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@bitwarden/cli (2026.4.0)","@cap-js/sqlite (2.2.2)","@cap-js/postgres (2.2.2)","@cap-js/db-service (2.10.1)","mbt (1.2.48)","SAP Cloud Application Programming (CAP) Model","checkmarx/kics"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["npm","GitHub","SAP","Bitwarden","Checkmarx","Microsoft"],"content_html":"\u003cp\u003eThe npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string \u0026ldquo;Shai-Hulud: The Third Coming,\u0026rdquo; and the other, dubbed \u0026ldquo;Mini Shai-Hulud,\u0026rdquo; targeted the SAP developer ecosystem. The compromised packages are often part of SAP\u0026rsquo;s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a \u0026ldquo;preinstall\u0026rdquo; hook.\u003c/li\u003e\n\u003cli\u003eExecution of setup.mjs: During the \u003ccode\u003enpm install\u003c/code\u003e process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.\u003c/li\u003e\n\u003cli\u003eBun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.\u003c/li\u003e\n\u003cli\u003eExecution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.\u003c/li\u003e\n\u003cli\u003ePropagation: The malware searches for commits containing the keyword \u0026ldquo;OhNoWhatsGoingOnWithGitHub,\u0026rdquo; decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor npm install processes for unexpected execution of \u003ccode\u003enode setup.mjs\u003c/code\u003e (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Bun Process Execution\u0026rdquo; to identify potential execution of the Bun runtime from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual processes connecting to \u003ccode\u003eapi.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub\u003c/code\u003e (see IOCs) to detect potential C2 activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Github Commit By Claude Email\u0026rdquo; to identify commits authored with the email \u003ccode\u003eclaude@users.noreply.github.com\u003c/code\u003e to detect malicious commits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T00:10:33Z","date_published":"2026-05-02T00:10:33Z","id":"/briefs/2026-05-npm-supply-chain/","summary":"Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.","title":"Increased npm Supply Chain Attacks Targeting SAP Developers","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender","FortiGate","komari-agent"],"_cs_severities":["high"],"_cs_tags":["komari","backdoor","nssm","github","rat","reverse shell"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Fortinet","GitHub"],"content_html":"\u003cp\u003eHuntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named \u0026ldquo;Windows Update Service\u0026rdquo; using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e After establishing the VPN connection, the attacker\u0026rsquo;s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using Impacket\u0026rsquo;s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Access:\u003c/strong\u003e The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence - Service Creation:\u003c/strong\u003e The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named \u0026ldquo;Windows Update Service\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Download:\u003c/strong\u003e The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Access \u0026amp; Execute:\u003c/strong\u003e The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN\u0026rsquo;s (ASN 51396) to detect potentially compromised credentials.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Komari Agent Installation via PowerShell\u0026rdquo; to identify installations of the Komari agent.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003enssm.exe\u003c/code\u003e installing a service named \u0026ldquo;Windows Update Service\u0026rdquo; to detect suspicious service installations.\u003c/li\u003e\n\u003cli\u003eBlock the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-komari-red/","summary":"Threat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.","title":"Komari Agent Abused as SYSTEM-Level Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-04-komari-red/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["medium"],"_cs_tags":["github","audit","data-loss","impact"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (\u003ccode\u003ecodespaces.destroy\u003c/code\u003e), deleting environments (\u003ccode\u003eenvironment.delete\u003c/code\u003e), deleting projects (\u003ccode\u003eproject.delete\u003c/code\u003e), and destroying repositories (\u003ccode\u003erepo.destroy\u003c/code\u003e). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don\u0026rsquo;t already have them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Codespaces:\u003c/strong\u003e The attacker executes the \u003ccode\u003ecodespaces.destroy\u003c/code\u003e action, deleting a specific codespace instance, potentially disrupting development workflows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Environments:\u003c/strong\u003e The attacker executes the \u003ccode\u003eenvironment.delete\u003c/code\u003e action, removing a specific environment configuration, potentially affecting deployment processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Projects:\u003c/strong\u003e The attacker executes the \u003ccode\u003eproject.delete\u003c/code\u003e action, deleting a project board and its associated tasks, impacting project management.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Repositories:\u003c/strong\u003e The attacker executes the \u003ccode\u003erepo.destroy\u003c/code\u003e action, permanently deleting a repository, leading to code loss and potential service disruption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker\u0026rsquo;s access and the criticality of the deleted resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003ecodespaces.destroy\u003c/code\u003e, \u003ccode\u003eenvironment.delete\u003c/code\u003e, \u003ccode\u003eproject.delete\u003c/code\u003e, and \u003ccode\u003erepo.destroy\u003c/code\u003e actions in the GitHub audit logs, and tune for your environment (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).\u003c/li\u003e\n\u003cli\u003eValidate the \u0026ldquo;actor\u0026rdquo; field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T10:00:00Z","date_published":"2026-04-28T10:00:00Z","id":"/briefs/2026-04-github-delete-action/","summary":"This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.","title":"Detection of Github Delete Actions in Audit Logs","url":"https://feed.craftedsignal.io/briefs/2026-04-github-delete-action/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","github","credential-theft","initial-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the \u003ccode\u003egithub-actions\u003c/code\u003e user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker\u0026rsquo;s source IP address and ASN.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e, or \u003ccode\u003eListUsers\u003c/code\u003e, to understand the AWS environment and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim\u0026rsquo;s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect suspicious usage patterns.\u003c/li\u003e\n\u003cli\u003eRotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement OIDC-based authentication (\u003ccode\u003eaws-actions/configure-aws-credentials\u003c/code\u003e with \u003ccode\u003erole-to-assume\u003c/code\u003e) instead of long-lived access keys as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf using OIDC, add IP condition policies to the IAM role trust policy to restrict \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to known GitHub runner IP ranges, based on the information in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:45:55Z","date_published":"2026-04-22T17:45:55Z","id":"/briefs/2024-01-aws-github-actions-credential-theft/","summary":"Attackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.","title":"AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-github-actions-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["github","exfiltration","code_repository"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert identifies potential data exfiltration from GitHub via rapid repository cloning. Attackers often target code repositories to steal proprietary code, embedded secrets, and build artifacts. This activity can be indicative of a compromised personal access token (PAT) being used in a script to enumerate and clone repositories from a CI runner or cloud VM. Private and internal repositories are particularly attractive targets, as they often contain sensitive information. The alert focuses on detecting unusual patterns of bulk cloning within a short timeframe, allowing defenders to respond quickly before significant data loss occurs. The original rule was created on 2025/12/16 and updated on 2026/04/10. This activity is often associated with supply chain attacks and the compromise of CI/CD pipelines, similar to the Shai Hulud attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to a GitHub account or obtains a valid, but misused, Personal Access Token (PAT).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to authenticate to the GitHub API.\u003c/li\u003e\n\u003cli\u003eThe attacker script enumerates accessible repositories within the organization, identifying potential targets.\u003c/li\u003e\n\u003cli\u003eA script is executed to initiate a high volume of \u003ccode\u003egit clone\u003c/code\u003e operations against the targeted repositories.\u003c/li\u003e\n\u003cli\u003eRepositories, including private and internal ones, are cloned to a staging area, often a CI runner or cloud VM.\u003c/li\u003e\n\u003cli\u003eThe cloned data is compressed and staged for exfiltration, potentially involving archiving or large outbound transfers.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the cloned data to an external location, potentially via a web service or other covert channel.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated data is used for malicious purposes, such as reverse engineering, finding vulnerabilities, or selling sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of GitHub repositories can lead to the exposure of sensitive source code, trade secrets, and proprietary algorithms. This can result in significant financial losses, reputational damage, and competitive disadvantage. In the event of secrets exposure (API keys, passwords, etc.), downstream systems and services may also be compromised. Depending on the nature of the exfiltrated code, legal and regulatory repercussions are also possible. Mass cloning of dozens of repositories can quickly siphon proprietary code, embedded secrets, and build artifacts across teams before defenses can respond.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub Exfiltration via High Number of Clones in Short Time\u003c/code\u003e to your SIEM and tune the threshold (event_count \u0026gt;= 25) for your environment to reduce false positives based on legitimate automated activity.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub audit logs for \u003ccode\u003egit.clone\u003c/code\u003e events, focusing on users with a high number of clones within a short timeframe to catch suspicious activity.\u003c/li\u003e\n\u003cli\u003eRevoke any GitHub tokens identified as being used for mass cloning, and force password resets and 2FA re-verification for the associated user accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate the originating host (identified by the \u003ccode\u003eagent.id\u003c/code\u003e or \u003ccode\u003euser_agent\u003c/code\u003e fields) for signs of compromise and block/quarantine it to prevent further exfiltration.\u003c/li\u003e\n\u003cli\u003eImplement organization-wide SAML SSO, disallow classic PATs, and enforce IP allowlisting for PAT use to enhance security posture.\u003c/li\u003e\n\u003cli\u003eEnable secret scanning with push protection on all repositories to prevent accidental or intentional exposure of credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:40:11Z","date_published":"2026-04-10T17:40:11Z","id":"/briefs/2026-06-github-exfiltration/","summary":"A single user rapidly cloning a high number of GitHub repositories indicates potential exfiltration of sensitive data such as proprietary code, embedded secrets, and build artifacts.","title":"GitHub Exfiltration via High Number of Repository Clones","url":"https://feed.craftedsignal.io/briefs/2026-06-github-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["saas-abuse","phishing","credential-harvesting","github","jira"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Talos has observed a surge in malicious activity that abuses notification pipelines within popular collaboration platforms, such as GitHub and Jira, to distribute spam and phishing emails. This technique, known as Platform-as-a-Proxy (PaaP), enables threat actors to bypass conventional email security filters by leveraging the trusted infrastructure of legitimate SaaS providers. Attackers embed malicious content within system-generated notifications, exploiting the implicit trust organizations place in these platforms. This allows them to effectively weaponize legitimate infrastructure and deliver phishing content, often leading to credential harvesting and subsequent attacks. During a campaign on February 17, 2026, approximately 2.89% of emails originating from GitHub were associated with this abuse.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eRepository Creation (GitHub):\u003c/strong\u003e Attackers create new repositories on GitHub to host their malicious content.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Message Crafting (GitHub):\u003c/strong\u003e Attackers craft malicious commit messages containing phishing lures within the mandatory summary field and detailed scam content in the optional extended description field.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommit Push (GitHub):\u003c/strong\u003e Attackers push the crafted commit to the newly created repository, triggering an automated email notification to collaborators and watchers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProject Creation (Jira):\u003c/strong\u003e Attackers create a new Jira Service Management project to configure automated customer invites.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Data Input (Jira):\u003c/strong\u003e Attackers inject malicious lures into data fields, such as the \u0026ldquo;Project Name,\u0026rdquo; \u0026ldquo;Welcome Message,\u0026rdquo; or \u0026ldquo;Project Description\u0026rdquo; fields, within the Jira project configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCustomer Invite (Jira):\u003c/strong\u003e The attacker utilizes the \u0026ldquo;Invite Customers\u0026rdquo; feature and inputs the victim\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAutomated Notification Generation (GitHub/Jira):\u003c/strong\u003e The platforms (GitHub/Jira) automatically generate email notifications containing the attacker-supplied malicious content, bypassing standard email security checks due to the trusted source.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting/Social Engineering:\u003c/strong\u003e Victims receive the notifications and are tricked into clicking malicious links or providing sensitive information, leading to credential compromise and further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAbusing SaaS notification pipelines can lead to widespread credential compromise and business email compromise (BEC). Successful phishing attacks can grant attackers initial access to corporate networks, enabling data theft, ransomware deployment, and other malicious activities. On February 17, 2026, 2.89% of emails originating from GitHub were associated with this abuse. The trust placed in platforms like GitHub and Jira makes these attacks particularly effective, as users are pre-conditioned to view notifications from these sources as legitimate and urgent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement detection rules to identify suspicious keywords and patterns within commit messages originating from GitHub (see: \u0026ldquo;GitHub Commit Message Phishing Lure\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual Jira project names or welcome messages that contain suspicious URLs or language (see: \u0026ldquo;Jira Service Desk Invite Abuse\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003eReview email logs for messages originating from \u003ccode\u003enoreply[@]github.com\u003c/code\u003e that contain invoice-related lures in the subject line, especially spikes in volume (see IOC table).\u003c/li\u003e\n\u003cli\u003eImplement enhanced email filtering rules to analyze the content of emails originating from SaaS platforms for phishing indicators.\u003c/li\u003e\n\u003cli\u003eEducate users to carefully inspect emails, even from trusted sources like GitHub and Jira, and to verify the legitimacy of links and requests before clicking or providing information.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T10:00:35Z","date_published":"2026-04-07T10:00:35Z","id":"/briefs/2026-04-saas-notification-abuse/","summary":"Attackers are abusing notification pipelines in SaaS platforms like GitHub and Jira to deliver phishing and spam emails by exploiting legitimate platform features and bypassing traditional email security measures.","title":"SaaS Notification Pipeline Abuse for Phishing and Spam Campaigns","url":"https://feed.craftedsignal.io/briefs/2026-04-saas-notification-abuse/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","software-compromise","github"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eIn early 2026, a surge in supply chain attacks has been observed, impacting widely used open-source libraries and tools. Notably, Axios, a popular HTTP client library for JavaScript with 100 million weekly downloads, was maliciously modified. Additionally, the \u0026ldquo;chaos-as-a-service\u0026rdquo; group TeamPCP injected malicious code into hijacked GitHub repositories for open-source projects, including Trivy, a security scanner. The Talos 2025 Year in Review indicated that nearly 25% of the top 100 targeted vulnerabilities affected widely used frameworks and libraries. React2Shell became the top-targeted vulnerability of 2025. These incidents highlight the fragility of the software supply chain and the potential for widespread downstream impact, affecting numerous organizations relying on these compromised components. Defenders face the challenge of identifying and remediating deeply integrated malicious code within their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e TeamPCP compromises GitHub repositories of open-source projects like Trivy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e Malicious code is injected into the project\u0026rsquo;s codebase within the compromised GitHub repository.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePackage Build and Distribution:\u003c/strong\u003e The compromised code is included in a new version of the software package during the build process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDistribution via Package Managers:\u003c/strong\u003e The malicious package is distributed through package managers like npm, becoming available for download by developers.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDownstream Consumption:\u003c/strong\u003e Developers unknowingly download and integrate the compromised package into their applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution in Downstream Environments:\u003c/strong\u003e The malicious code executes within the developers\u0026rsquo; applications and environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Exfiltration/Ransomware:\u003c/strong\u003e The injected code performs malicious actions such as data exfiltration or establishing a reverse shell for lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their objectives, such as data theft, system compromise, or ransomware deployment across numerous downstream victims.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of widely used libraries and frameworks like Axios and Trivy can have a vast impact, potentially affecting millions of users and organizations. The Axios library alone receives 100 million downloads weekly. The successful exploitation of the React2Shell vulnerability demonstrates the speed at which these attacks can reach massive scale. The resulting damage can range from data breaches and system compromise to ransomware deployment, affecting organizations across various sectors. The integration of these utilities often makes full cataloging and remediation challenging, leading to prolonged exposure and increased risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecure CI/CD pipelines to prevent compromises from occurring, addressing the attack vector used by TeamPCP.\u003c/li\u003e\n\u003cli\u003eImplement robust logging to monitor for suspicious activity related to compromised packages and aid in incident response.\u003c/li\u003e\n\u003cli\u003eOrganizations must inventory the software libraries and frameworks they employ and rapidly implement patching and other mitigations when security incidents are reported.\u003c/li\u003e\n\u003cli\u003eImplement robust multi-factor authentication (MFA) to protect developer accounts on platforms like GitHub.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T17:31:42Z","date_published":"2026-04-03T17:31:42Z","id":"/briefs/2026-04-supply-chain-attacks/","summary":"Multiple supply chain attacks, including the compromise of Axios and Trivy via hijacked GitHub repositories by TeamPCP, demonstrate the increasing threat to open-source software.","title":"Rise in Software Supply Chain Attacks Targeting Open-Source Libraries","url":"https://feed.craftedsignal.io/briefs/2026-04-supply-chain-attacks/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github","agent-skills","repository-hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA supply chain attack has been identified targeting agent skill marketplaces that utilize a link-out distribution model, specifically indexing skills via GitHub repository URLs. The vulnerability arises when original repository owners rename their GitHub accounts, making the previous username available for takeover. Attackers can claim the orphaned username, recreate the repository, and intercept all future skill downloads. A study found 121 skills forwarding to 7 vulnerable repositories, with the most-downloaded hijackable skill having over 2,000 downloads. Further analysis of 238,180 unique skills from various marketplaces revealed significant disagreement among scanners, with fail rates ranging from 3.79% to 41.93%. Additionally, live API credentials for services such as NVIDIA, ElevenLabs, Gemini, and MongoDB were found embedded within the analyzed corpus, highlighting a severe lack of security hygiene in the agent skill ecosystem. This attack highlights the risks associated with relying on external repositories and the need for robust validation mechanisms in agent skill marketplaces.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eOriginal GitHub repository owner renames their account, making the old username available.\u003c/li\u003e\n\u003cli\u003eAttacker registers the now-available GitHub username.\u003c/li\u003e\n\u003cli\u003eAttacker recreates the repository at the same URL as the original skill.\u003c/li\u003e\n\u003cli\u003eUsers download the \u0026ldquo;skill\u0026rdquo; from the marketplace, which now points to the attacker\u0026rsquo;s repository.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s repository serves malicious code instead of the original skill.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes on the user\u0026rsquo;s system or agent platform.\u003c/li\u003e\n\u003cli\u003eAttackers leverage the skill to gain access to the victim\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003eAttackers exfiltrate sensitive data or deploy further malicious payloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack can compromise systems and data by delivering malicious code through hijacked agent skills. The discovery of 121 vulnerable skills and 7 vulnerable repositories demonstrates the scale of this threat. The presence of live API credentials for major services like NVIDIA, ElevenLabs, Gemini, and MongoDB within the skill corpus suggests widespread insecure development practices. Successful exploitation can lead to data breaches, system compromise, and unauthorized access to cloud services, potentially impacting numerous users and organizations relying on these agent skills. The disagreement between scanners highlights the difficulty in detecting these malicious skills, further compounding the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement monitoring for GitHub repository ownership changes for all deployed skills to detect potential hijacking (refer to Attack Chain).\u003c/li\u003e\n\u003cli\u003ePin skills to specific commit hashes rather than mutable branch heads to ensure code integrity (refer to Attack Chain).\u003c/li\u003e\n\u003cli\u003eRequire a minimum of two independent scanners to flag a skill before treating it as confirmed malicious to reduce false positives (refer to Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to identify potential GitHub username registration events (see \u0026ldquo;Detect GitHub Username Registration\u0026rdquo; rule).\u003c/li\u003e\n\u003cli\u003ePrefer direct-hosting marketplaces over link-out distribution models to reduce reliance on external repositories (refer to Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-agent-skill-hijacking/","summary":"A supply chain attack targets agent skill marketplaces by exploiting GitHub username hijacking, allowing threat actors to intercept skill downloads from vulnerable repositories, with scanners showing significant disagreement on malicious skill identification and embedded live API credentials discovered.","title":"Agent Skill Marketplace Supply Chain Attack via GitHub Account Hijacking","url":"https://feed.craftedsignal.io/briefs/2026-03-agent-skill-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["github","malware","macos","credential-theft","ai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eGhostLoader is a malware campaign observed using GitHub repositories and AI-assisted development workflows to deliver malicious payloads specifically designed to steal credentials from macOS systems. The threat leverages the trust associated with software repositories and the increasing adoption of AI tools in development to potentially bypass security measures. While the exact start date of the campaign is not specified, the report from Jamf highlights its recent emergence as a notable threat. Defenders should prioritize monitoring for suspicious activity related to GitHub repositories and unusual AI-driven development processes. The targeted scope appears to be macOS users who engage with software development resources and AI-related tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates a seemingly legitimate software repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe repository contains a project with files that may appear benign or related to AI workflows.\u003c/li\u003e\n\u003cli\u003eA malicious script or binary, named GhostLoader, is included within the repository or downloaded as a dependency.\u003c/li\u003e\n\u003cli\u003eA user downloads or clones the repository, potentially enticed by AI-assisted development features or other seemingly useful functionality.\u003c/li\u003e\n\u003cli\u003eThe user executes the GhostLoader script or binary on their macOS system.\u003c/li\u003e\n\u003cli\u003eGhostLoader executes, initiating the credential-stealing process.\u003c/li\u003e\n\u003cli\u003eStolen credentials are collected and potentially exfiltrated to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to user accounts or sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe GhostLoader malware directly targets macOS systems and focuses on credential theft. Successful attacks can lead to unauthorized access to sensitive user accounts, intellectual property, and confidential data. The number of victims and specific sectors targeted remain unclear, but the use of GitHub and AI workflows suggests a focus on developers or users involved in AI-related activities. The compromise of credentials can have severe consequences, including financial loss, data breaches, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events on macOS for execution of unusual or unsigned binaries in user directories, potentially indicative of GhostLoader execution (see process creation rule).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to known malicious infrastructure or unusual data exfiltration patterns after the execution of scripts from cloned GitHub repositories.\u003c/li\u003e\n\u003cli\u003eEducate developers and users about the risks of downloading and executing code from untrusted sources, particularly those related to AI-assisted workflows.\u003c/li\u003e\n\u003cli\u003eEnable and review macOS system logs for suspicious activity related to credential access and keychain modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T13:03:03Z","date_published":"2026-03-21T13:03:03Z","id":"/briefs/2024-01-ghostloader/","summary":"GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.","title":"GhostLoader Malware Targeting macOS via GitHub and AI Workflows","url":"https://feed.craftedsignal.io/briefs/2024-01-ghostloader/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","unicode","malware","github"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Glassworm malware is a newly discovered threat that leverages the presence of invisible Unicode characters within source code to inject malicious payloads into software projects.  Discovered in early 2026, this malware has already compromised over 150 repositories on GitHub. The attack focuses on injecting these invisible characters into popular repositories, particularly those related to JavaScript and Node.js development, potentially impacting a wide range of applications and services. The delivery mechanism involves contributors with malicious intent adding these characters or compromised accounts injecting them. This sophisticated approach allows the malware to remain undetected during code reviews and traditional security scans, making it a significant threat to the software supply chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor gains commit access to a target GitHub repository through either direct contribution or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe actor injects invisible Unicode characters into source code files, such as JavaScript or package.json files.\u003c/li\u003e\n\u003cli\u003eThese Unicode characters are strategically placed within the code to be innocuous visually but alter the program\u0026rsquo;s execution when interpreted.\u003c/li\u003e\n\u003cli\u003eThe altered code, containing the Unicode characters, is committed to the repository, potentially passing initial code review checks due to the characters\u0026rsquo; invisibility.\u003c/li\u003e\n\u003cli\u003eWhen a developer clones or downloads the compromised repository, the Unicode characters are included in their local copy of the code.\u003c/li\u003e\n\u003cli\u003eDuring the build process (e.g., \u003ccode\u003enpm install\u003c/code\u003e), the malicious code embedded within the Unicode characters is executed.\u003c/li\u003e\n\u003cli\u003eThis execution leads to the download and execution of a secondary payload from a remote server, potentially installing malware, backdoors, or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is to compromise the developer\u0026rsquo;s system or to inject malicious code into applications built using the compromised repository, thus propagating the malware further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of Glassworm can lead to widespread supply chain compromise, potentially affecting thousands of developers and end-users.  Over 150 GitHub repositories have already been identified as infected, and the actual number could be much higher. Successful exploitation leads to arbitrary code execution on developer machines and within deployed applications. The compromised code can steal credentials, inject backdoors, and exfiltrate sensitive data, leading to significant financial and reputational damage. The lack of visibility makes remediation challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement static analysis tools capable of detecting invisible Unicode characters in source code repositories (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to identify suspicious process executions originating from build processes that may indicate Glassworm activity.\u003c/li\u003e\n\u003cli\u003eEducate developers about the risks associated with invisible Unicode characters and the importance of careful code review (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication on all developer accounts to prevent account compromise (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to suspicious or unknown domains originating from build processes (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eUtilize file integrity monitoring (FIM) to track changes to critical files within repositories and development environments (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T15:30:24Z","date_published":"2026-03-15T15:30:24Z","id":"/briefs/2024-02-29-glassworm-unicode-malware/","summary":"The Glassworm malware utilizes invisible unicode characters to infect over 150 GitHub repositories, posing a supply chain risk to developers and users.","title":"Glassworm Malware Hidden in Unicode Characters Affecting GitHub Repositories","url":"https://feed.craftedsignal.io/briefs/2024-02-29-glassworm-unicode-malware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["malware","github","infrastructure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief summarizes an analysis of GlassWorm V2, focusing on its infrastructure rotation and GitHub injection techniques. While specific details regarding the threat actor and initial attack vectors are not provided in this analysis, the report highlights the malware\u0026rsquo;s ability to dynamically change its command and control (C2) infrastructure and potentially leverage GitHub for code injection or storage. Understanding these techniques is crucial for defenders to develop robust detection and mitigation strategies against this evolving threat. The full analysis is available on Codeberg.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Specific initial access vector is unknown.\u003c/li\u003e\n\u003cli\u003eGitHub Injection: The malware leverages GitHub to host malicious code or configurations, potentially obfuscating its activities within legitimate traffic.\u003c/li\u003e\n\u003cli\u003eInfrastructure Rotation: GlassWorm V2 employs techniques to rotate its C2 infrastructure, making it more difficult to track and block.\u003c/li\u003e\n\u003cli\u003eCommunication: The malware establishes communication with its C2 server using the dynamically updated infrastructure.\u003c/li\u003e\n\u003cli\u003eCommand Execution: The C2 server issues commands to the infected host.\u003c/li\u003e\n\u003cli\u003ePersistence: Unknown persistence mechanism is used.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Lateral Movement/Impact: The ultimate goal is currently unknown.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of a successful GlassWorm V2 infection could range from data theft and system compromise to disruption of services, depending on the specific objectives of the attacker. The use of infrastructure rotation makes it harder to block attacker infrastructure. The GitHub injection may also lead to supply chain concerns.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or newly registered domains, even if they initially appear benign.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on systems to detect unauthorized modifications to critical system files.\u003c/li\u003e\n\u003cli\u003eConsider using tools that specifically analyze and detect malicious use of GitHub repositories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-15T13:51:21Z","date_published":"2026-03-15T13:51:21Z","id":"/briefs/2024-01-26-glassworm-v2-analysis/","summary":"Analysis of GlassWorm V2 reveals infrastructure rotation and GitHub injection techniques.","title":"GlassWorm V2 Infrastructure Rotation and GitHub Injection Analysis","url":"https://feed.craftedsignal.io/briefs/2024-01-26-glassworm-v2-analysis/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["medium"],"_cs_tags":["github","ssh","certificate","initial-access","persistence","privilege-escalation","stealth","t1078.004"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eAttackers can abuse SSH certificate authorities in GitHub to gain unauthorized access to repositories. By creating or disabling SSH certificate requirements, attackers can bypass existing security controls and establish persistent access. This activity is logged in the GitHub audit logs, specifically when \u003ccode\u003essh_certificate_authority.create\u003c/code\u003e or \u003ccode\u003essh_certificate_requirement.disable\u003c/code\u003e actions are performed. Successful exploitation allows attackers to commit malicious code, steal sensitive data, or disrupt development workflows, impacting the integrity and confidentiality of the organization\u0026rsquo;s resources. The GitHub audit log streaming feature must be enabled to detect this activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a GitHub organization, potentially through compromised credentials or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates their privileges to an organizational role capable of managing SSH certificate authorities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSSH Certificate Authority Creation:\u003c/strong\u003e The attacker creates a new SSH certificate authority within the GitHub organization (\u003ccode\u003essh_certificate_authority.create\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable SSH Certificate Requirement:\u003c/strong\u003e Alternatively, the attacker disables the requirement for members to use SSH certificates to access organization resources (\u003ccode\u003essh_certificate_requirement.disable\u003c/code\u003e). This action allows attackers to bypass security controls that enforce SSH certificate usage.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e The attacker utilizes the newly created SSH certificate authority or the disabled requirement to access repositories without proper authorization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the GitHub organization, accessing additional repositories and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Malicious Code Injection:\u003c/strong\u003e The attacker exfiltrates sensitive data or injects malicious code into the organization\u0026rsquo;s repositories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker maintains persistent access by using the created SSH certificate authority or the disabled requirement for future unauthorized activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of SSH certificate configurations in GitHub can lead to unauthorized code commits, data breaches, and supply chain attacks. This could result in financial losses, reputational damage, and legal repercussions for the affected organization. The number of affected repositories and the severity of the impact depend on the scope of the attacker\u0026rsquo;s access and the sensitivity of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the GitHub audit log streaming feature to capture SSH certificate configuration changes (logsource: github, service: audit, definition).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003essh_certificate_authority.create\u003c/code\u003e or \u003ccode\u003essh_certificate_requirement.disable\u003c/code\u003e events in the GitHub audit logs (rule: Github SSH Certificate Configuration Changed).\u003c/li\u003e\n\u003cli\u003eRegularly review GitHub audit logs for any unauthorized modifications to SSH certificate configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T14:00:00Z","date_published":"2024-11-02T14:00:00Z","id":"/briefs/2024-11-github-ssh-cert-config-changed/","summary":"Attackers can modify SSH certificate configurations in GitHub organizations to gain unauthorized access, persist in the environment, escalate privileges, and operate stealthily.","title":"GitHub SSH Certificate Configuration Changed","url":"https://feed.craftedsignal.io/briefs/2024-11-github-ssh-cert-config-changed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["high"],"_cs_tags":["github","security-configuration","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief addresses the threat of unauthorized or malicious disabling of security features within GitHub organizations and repositories. Attackers or malicious insiders might disable features like Advanced Security, OAuth application restrictions, or two-factor authentication to weaken the security posture, gain unauthorized access, and establish persistence. The affected features span across advanced security, OAuth application management, and two-factor authentication enforcement. These actions can be performed by users with administrative or owner privileges within the GitHub organization. Defenders need to monitor for these configuration changes to ensure security best practices are maintained and to quickly identify potential malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with organization owner or administrator privileges through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization or repository using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization settings or repository settings, depending on the scope of the targeted security feature.\u003c/li\u003e\n\u003cli\u003eThe attacker disables advanced security features (e.g., \u003ccode\u003ebusiness_advanced_security.disabled_for_new_repos\u003c/code\u003e, \u003ccode\u003erepo.advanced_security_disabled\u003c/code\u003e) through the GitHub web interface or API.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker disables OAuth application restrictions (\u003ccode\u003eorg.disable_oauth_app_restrictions\u003c/code\u003e) to allow potentially malicious applications to access organizational data.\u003c/li\u003e\n\u003cli\u003eOr, the attacker disables the two-factor authentication requirement (\u003ccode\u003eorg.disable_two_factor_requirement\u003c/code\u003e) for the organization, weakening account security.\u003c/li\u003e\n\u003cli\u003eThe attacker may then proceed to exploit the weakened security posture to access sensitive repositories, modify code, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistent access by creating rogue OAuth applications or adding unauthorized users to the organization.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling security features in GitHub can lead to severe consequences. A successful attack can result in unauthorized access to sensitive code repositories, intellectual property theft, and data breaches. Disabling two-factor authentication makes accounts more vulnerable to credential stuffing and phishing attacks. The scope can range from a single repository to an entire organization, impacting hundreds or thousands of users and projects. The financial and reputational damage to the organization can be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub High Risk Configuration Disabled\u003c/code\u003e to detect the disabling of critical security features by monitoring GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eEnable audit log streaming as documented in the rule definition to ensure that the necessary logs are captured for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of security feature disabling to determine if they are legitimate administrator actions or malicious activity.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users, especially those with administrative privileges, and monitor for attempts to disable MFA.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate GitHub organization and repository settings to ensure that security features are enabled and configured correctly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-31T18:22:00Z","date_published":"2024-10-31T18:22:00Z","id":"/briefs/2024-11-github-security-disabled/","summary":"An administrator or privileged user disables critical security features within a GitHub organization or repository, potentially leading to increased risk of unauthorized access, data breaches, and persistent compromise.","title":"GitHub Security Feature Disablement","url":"https://feed.craftedsignal.io/briefs/2024-11-github-security-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["low"],"_cs_tags":["defense-impairment","t1685","github"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis alert detects when a GitHub user bypasses the push protection mechanism designed to prevent secrets from being committed to a repository. GitHub\u0026rsquo;s push protection, part of its secret scanning feature, is intended to block commits containing sensitive information like API keys or credentials.  A bypass indicates a deliberate attempt to circumvent this security measure. Successful bypass can lead to exposure of secrets, increasing the risk of unauthorized access and data breaches. The activity is logged within GitHub\u0026rsquo;s audit logs, provided that the audit log streaming feature is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eDeveloper attempts to commit code containing a secret to a GitHub repository.\u003c/li\u003e\n\u003cli\u003eGitHub\u0026rsquo;s push protection mechanism detects the secret and blocks the push.\u003c/li\u003e\n\u003cli\u003eThe developer intentionally bypasses the push protection, potentially using allowed administrative activities to circumvent the block.\u003c/li\u003e\n\u003cli\u003eThe code, including the secret, is successfully pushed to the repository.\u003c/li\u003e\n\u003cli\u003eThe secret becomes exposed within the repository\u0026rsquo;s history.\u003c/li\u003e\n\u003cli\u003eUnauthorized actors may discover the exposed secret by scanning the repository.\u003c/li\u003e\n\u003cli\u003eUnauthorized actors may use the exposed secret to gain unauthorized access to systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bypass of GitHub push protection can lead to secrets being exposed in a repository. This exposure can lead to unauthorized access to sensitive systems or data. The severity of the impact depends on the scope of access granted by the exposed secret, and the visibility of the repository.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable audit log streaming in GitHub to ensure relevant events are captured.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Push Protection Bypass Detected\u0026rdquo; to your SIEM and tune for your environment using GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected bypass events to determine the context and impact of the bypassed secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-github-push-protection-bypass/","summary":"Detection of a GitHub user bypassing push protection, potentially leading to the exposure of secrets.","title":"GitHub Push Protection Bypass Detection","url":"https://feed.craftedsignal.io/briefs/2024-04-github-push-protection-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Actions"],"_cs_severities":["low"],"_cs_tags":["github","persistence","privilege-escalation","initial-access"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis detection identifies the creation of new secrets within GitHub Actions. Threat actors may create or modify secrets to gain unauthorized access, establish persistence, or escalate privileges within the GitHub environment. The activity is captured via GitHub\u0026rsquo;s audit logs. The scope of this detection encompasses the creation of secrets at the organization, environment, codespaces, or repository level. Successful detection of this activity allows security teams to investigate potentially malicious modifications to GitHub Actions secrets, which could lead to supply chain compromise or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GitHub account, potentially through compromised credentials or phishing (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization or repository.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings for the organization, environment, codespaces, or repository.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new secret within the GitHub Actions settings, using the GitHub API or web interface.\u003c/li\u003e\n\u003cli\u003eThe secret is stored within GitHub\u0026rsquo;s infrastructure, accessible to GitHub Actions workflows.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a GitHub Actions workflow that utilizes the newly created secret.\u003c/li\u003e\n\u003cli\u003eThe workflow executes, using the secret to perform privileged actions such as accessing sensitive data or deploying malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or elevates their privileges within the GitHub environment, potentially compromising the entire software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, code injection, and supply chain compromise. The impact ranges from low, in cases where the secret is used for benign purposes, to critical if the secret is used to deploy malicious code into production environments. While the number of affected organizations is unknown, the potential for widespread impact across the software supply chain makes this a critical area for monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub audit log streaming to capture the events necessary for this detection (see \u003ccode\u003elogsource\u003c/code\u003e definition).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub New Secret Created\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u0026ldquo;actor\u0026rdquo; involved in creating the secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-github-secret-creation/","summary":"This analytic detects the creation of new GitHub Actions secrets at the organization, environment, codespaces, or repository level, potentially indicating malicious persistence or privilege escalation.","title":"Detection of New GitHub Actions Secrets Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-github-secret-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub"],"_cs_severities":["low"],"_cs_tags":["github","repository","archive","unarchive","persistence","impact","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub\u0026rsquo;s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with repository administration privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the settings page of a target repository.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the repository\u0026rsquo;s archive status, either archiving or unarchiving it depending on their objective.\u003c/li\u003e\n\u003cli\u003eGitHub logs the \u0026lsquo;repo.archived\u0026rsquo; or \u0026lsquo;repo.unarchived\u0026rsquo; action in the organization\u0026rsquo;s audit logs.\u003c/li\u003e\n\u003cli\u003e(If archiving) Legitimate users may lose access to the repository and its code, causing disruption.\u003c/li\u003e\n\u003cli\u003e(If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.\u003c/li\u003e\n\u003cli\u003eThe attacker may then attempt to exploit the unarchived repository for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker\u0026rsquo;s access and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GitHub Repository Archive Status Changed\u0026rdquo; to your SIEM and tune for your environment. This rule detects the \u003ccode\u003erepo.archived\u003c/code\u003e and \u003ccode\u003erepo.unarchived\u003c/code\u003e actions in GitHub audit logs (logsource: github, service: audit).\u003c/li\u003e\n\u003cli\u003eReview GitHub audit logs regularly for unexpected repository archiving or unarchiving events.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected events to determine if the actions were authorized.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T15:00:00Z","date_published":"2024-01-04T15:00:00Z","id":"/briefs/2024-01-github-repo-archive-status-changed/","summary":"Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.","title":"GitHub Repository Archive Status Changed","url":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-archive-status-changed/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Actions"],"_cs_severities":["low"],"_cs_tags":["github","self-hosted-runner","audit-log","devops","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting changes to self-hosted runner configurations within GitHub environments. Self-hosted runners are systems deployed and managed by users to execute jobs from GitHub Actions, providing flexibility and control over the execution environment. Monitoring these runners is crucial because unauthorized modifications can lead to various malicious activities, including data collection, persistence, privilege escalation, or even initial access. The rule provided detects such changes based on audit logs, requiring administrators to validate the changes through the GitHub UI for complete context. Detecting these modifications early can help prevent or mitigate potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub organization or repository with permissions to manage self-hosted runners. This could be achieved through compromised credentials (T1078.004) or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the configuration of an existing self-hosted runner group or creates a new runner group (org.runner_group_created).\u003c/li\u003e\n\u003cli\u003eThe attacker adds or removes runners from a runner group (org.runner_group_runners_added, org.runner_group_runner_removed, org.runner_group_updated).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker registers a new self-hosted runner within the environment (repo.register_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker removes an existing self-hosted runner from the environment (repo.remove_self_hosted_runner, org.remove_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised runner or runner group to execute malicious code within the GitHub Actions workflow, potentially collecting sensitive data or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised runner to establish persistence within the GitHub environment, ensuring continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the compromised runner to gain initial access to other systems or networks connected to the GitHub environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised self-hosted runners can lead to a range of impacts, including data exfiltration, code injection, and privilege escalation within the targeted GitHub environment. Successful attacks could result in unauthorized access to sensitive repositories, modification of code, or deployment of malicious software. The impact can vary depending on the scope of the compromised runner and the permissions associated with it. The effects could extend beyond the GitHub environment if the compromised runner has access to other systems or networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the audit log streaming feature in GitHub to capture events related to self-hosted runner modifications, as required by the logsource definition.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Self Hosted Runner Changes Detected\u0026rdquo; to your SIEM and tune for your specific environment to detect suspicious configuration changes.\u003c/li\u003e\n\u003cli\u003eRegularly review the audit logs in the GitHub UI to validate any detected changes to self-hosted runners and runner groups to ensure legitimate modifications.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for managing self-hosted runners, limiting permissions to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-github-runner-changes/","summary":"Detection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.","title":"GitHub Self-Hosted Runner Configuration Changes Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-github-runner-changes/"}],"language":"en","title":"CraftedSignal Threat Feed — Github","version":"https://jsonfeed.org/version/1.1"}