Skip to main content

GitHub API calls by a malicious caller

ID:github_malicious_caller
Data type:GitHub
Severity:
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected GitHub API calls by a likely malicious caller. This may indicate that the request originated from an IP address listed on known blocklists or that the potential use of penetration testing tools or anonymous proxies like Tor or Freenet was identified.

Impact

This activity could indicate an ongoing attack on the GitHub environment, potentially leading to unauthorized repository access, sensitive data disclosure, intellectual property theft, or further lateral movement within the infrastructure.

Severity

SeverityCondition
Medium
GitHub API calls by a likely malicious caller

Investigation and Remediation

Temporarily disable or restrict access for the suspicious account. Review the GitHub audit logs to identify the specific actions taken by the suspicious caller. Verify whether these actions were authorized and performed by a legitimate user. If unauthorized, reset affected credentials and conduct a thorough security audit of the GitHub environment for other signs of potential compromise.