GitHub OAuth secret removed
Description
AlphaSOC detected that a GitHub OAuth secret was removed. OAuth secrets are critical authentication credentials that allow applications to access GitHub resources on behalf of users. Threat actors who gain access to GitHub accounts may remove OAuth secrets to disrupt legitimate integrations, prevent detection of their activities, or cover their tracks after exploiting compromised credentials.
Impact
Removal of OAuth secrets can disrupt critical integrations and automated workflows. This activity may indicate that threat actors have compromised the GitHub account and are attempting to hide evidence of unauthorized access or preparing to establish their own authentication methods.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub OAuth secret removed |
Investigation and Remediation
Review GitHub audit logs to identify who removed the OAuth secret and examine any other actions performed by the same user or from the same IP address around the time of removal. Check for any new OAuth applications or secrets that may have been created as replacements. Verify whether the removal was authorized. If unauthorized, immediately revoke all active sessions, rotate any potentially compromised credentials, review and audit all OAuth applications with repository access, enable two-factor authentication if not already active, and conduct a comprehensive security review of the affected account and associated repositories.