Skip to main content

GitHub user removed from a repository

ID:github_user_removed_from_repository
Data type:GitHub
Severity:
Informational
MITRE ATT&CK:TA0040:T1531

Description

AlphaSOC detected that a user was removed from a GitHub repository. This action revokes a user's permissions to view, clone, or contribute to the repository. While this is often a legitimate administrative action, unauthorized removal could potentially be used by threat actors to disrupt development operations or maintain exclusive access to a repository after compromise.

Impact

Removing users from organizational repositories can disrupt development workflows and collaboration. If performed without authorization, this activity may indicate credential compromise or an attempt to lock out legitimate users, potentially as part of a larger attack strategy.

Severity

SeverityCondition
Informational
GitHub user removed from a repository

Investigation and Remediation

Review GitHub audit logs to verify whether this removal was authorized and identify the user account responsible for the action. Check if the removal aligns with standard offboarding procedures or role changes. If unauthorized, restore access for the removed user, rotate any potentially compromised credentials, and conduct a thorough audit of the environment for other signs of compromise.