GitHub user blocked from accessing an organization’s repositories
Description
AlphaSOC detected that a user was blocked from accessing an organization's repositories on GitHub. This action prevents a user from viewing, cloning, or contributing to any of the organization's repositories. While this is often a legitimate administrative action, unauthorized blocking could potentially be used by threat actors to disrupt business operations or maintain exclusive access to repositories after compromise.
Impact
Blocking users from organizational repositories can disrupt development workflows and collaboration. If performed without authorization, this activity may indicate credential compromise or an attempt to lock out legitimate users, potentially as part of a larger attack strategy.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub user was blocked from accessing an organization's repositories |
Investigation and Remediation
Review GitHub audit logs to verify whether this action was authorized and identify the user account responsible for the blocking. If unauthorized, restore access for the blocked user, rotate any potentially compromised credentials, and conduct a thorough audit of the environment for other signs of compromise.
Known False Positives
- Legitimate administrative actions to block former employees or contractors
- Blocking users as part of regular access control management
- Temporary blocks during security incidents or investigations