GitHub user removed from an organization
Description
AlphaSOC detected that a user was removed from a GitHub organization. This action prevents a user from viewing, cloning, or contributing to any of the organization's repositories. While this is often a legitimate administrative action, unauthorized blocking could potentially be used by threat actors to disrupt business operations or maintain exclusive access to repositories after compromise.
Impact
Removing users from organizational repositories can disrupt development workflows and collaboration. If performed without authorization, this activity may indicate credential compromise or an attempt to lock out legitimate users, potentially as part of a larger attack strategy.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub user removed from an organization |
Investigation and Remediation
Review GitHub audit logs to verify whether this removal was authorized and identify the user account responsible for the action. If unauthorized, restore access for the removed user, rotate any potentially compromised credentials, and conduct a thorough audit of the environment for other signs of compromise.