GitHub webhook modified
Description
AlphaSOC detected that a GitHub webhook was either created, modified, or deleted. Webhooks allow external services to be notified when certain events happen within a repository. While these actions are often legitimate, threat actors may manipulate webhooks to establish persistence or exfiltrate data from the environment.
Impact
Malicious webhook modifications could result in unauthorized access to sensitive repository data, including source code, commit history, and developer communications. This may lead to intellectual property theft, data exfiltration, or other malicious activities.
Severity
| Severity | Condition |
|---|---|
Informational | GitHub webhook modified |
Investigation and Remediation
Review GitHub audit logs to examine the webhook modification details, including the user who made the change, the webhook URL, and configured events. Verify whether the modification was authorized. If unauthorized, revert the webhook to its previous state, rotate any potentially compromised credentials, and review recent GitHub activity for any suspicious actions.