GitHub user unblocked from accessing an organization’s repositories
Description
AlphaSOC detected that a GitHub user was unblocked from accessing an organization's repositories. This action restores a previously blocked user's ability to view, clone, and potentially contribute to the organization's code repositories. Threat actors who have gained administrative access may unblock previously blocked users to establish persistence within the organization's development infrastructure.
Impact
Unblocking a user could indicate potential compromise of an account with administrative privileges, such as an organization administrator or owner. This activity may represent an attempt to maintain access to the organization's development environment and could potentially lead to further compromise if the unblocking was unauthorized.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub user was unblocked from accessing an organization's repositories |
Investigation and Remediation
Review GitHub audit logs to identify the user who performed the unblock action and verify whether it was authorized. If unauthorized, block the user again, rotate any potentially compromised credentials, and investigate the environment for other indicators of compromise.