Skip to main content

Suspicious GitHub actions performed via OAuth access token

ID:github_oauth_token_anomaly
Data type:GitHub
Severity:
Low
MITRE ATT&CK:TA0006:T1528

Description

AlphaSOC detected suspicious GitHub actions performed using an OAuth access token. OAuth tokens provide programmatic access to GitHub repositories and can be used to perform various operations including code commits, repository modifications, and data access.

Impact

Threat actors may compromise OAuth tokens to gain unauthorized access to development environments, steal source code, inject malicious code into repositories, or perform other unauthorized actions.

Severity

SeverityCondition
Low
Suspicious GitHub actions performed via OAuth access token

Investigation and Remediation

Audit all OAuth tokens with access to affected repositories, review their scopes and recent activity in GitHub audit logs. Verify whether the actions performed by the OAuth token were authorized and legitimate. If unauthorized, revoke suspicious tokens, rotate any potentially compromised credentials, and examine recent commits and repository changes for malicious modifications.