GitHub user removed from a repository
Description
AlphaSOC detected that a user was removed from a GitHub repository. This action revokes a user's permissions to view, clone, or contribute to the repository. While this is often a legitimate administrative action, unauthorized removal could potentially be used by threat actors to disrupt development operations or maintain exclusive access to a repository after compromise.
Impact
Removing users from organizational repositories can disrupt development workflows and collaboration. If performed without authorization, this activity may indicate credential compromise or an attempt to lock out legitimate users, potentially as part of a larger attack strategy.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub user removed from a repository |
Investigation and Remediation
Review GitHub audit logs to verify whether this removal was authorized and identify the user account responsible for the action. Check if the removal aligns with standard offboarding procedures or role changes. If unauthorized, restore access for the removed user, rotate any potentially compromised credentials, and conduct a thorough audit of the environment for other signs of compromise.