Suspicious GitHub actions performed via OAuth access token
Description
AlphaSOC detected suspicious GitHub actions performed using an OAuth access token. OAuth tokens provide programmatic access to GitHub repositories and can be used to perform various operations including code commits, repository modifications, and data access.
Impact
Threat actors may compromise OAuth tokens to gain unauthorized access to development environments, steal source code, inject malicious code into repositories, or perform other unauthorized actions.
Severity
Severity | Condition |
---|---|
Low | Suspicious GitHub actions performed via OAuth access token |
Investigation and Remediation
Audit all OAuth tokens with access to affected repositories, review their scopes and recent activity in GitHub audit logs. Verify whether the actions performed by the OAuth token were authorized and legitimate. If unauthorized, revoke suspicious tokens, rotate any potentially compromised credentials, and examine recent commits and repository changes for malicious modifications.