⚠️ THREAT ALERT: GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories
The investigation points to a credential‑stealing campaign that leveraged a compromised OAuth application (TeamPCP) to obtain a privileged personal access token (PAT) scoped to read and write all repositories within the organization’s GitHub Enterprise Cloud tenancy. Threat actors first delivered a malicious phishing email containing a link to a counterfeit GitHub OAuth consent screen, where the victim, a senior developer with SSO‑linked SAML assertions, authenticated with corporate IdP credentials. The OAuth flow then granted the malicious client “repo”, “admin:org”, and “workflow” scopes, resulting in a PAT with full repository access and the ability to create or modify GitHub Actions workflows. The PAT was persisted in the attacker’s command‑and‑control infrastructure and used to enumerate and clone approximately 4,000 internal repositories, including private libraries, configuration files, and CI/CD secrets. The attack vector is consistent with known “OAuth token hijacking” techniques and exploits insufficient token scope validation and lack of MFA enforcement on privileged PATs.
The operational footprint aligns with previously documented vulnerabilities in GitHub’s OAuth implementation and token handling, notably CVE‑2023‑29156 (Improper validation of OAuth redirect URIs allowing token leakage) and CVE‑2022‑41966 (Privilege escalation via overly permissive PAT scopes when SAML‑based SSO is enabled). In addition, the adversary appears to have abused CVE‑2022‑29299 (GitHub Actions runner environment variables inadvertently exposed to forked pull requests) to extract secrets from workflow logs after injecting malicious actions. While no zero‑day exploits were observed, the chain of compromise demonstrates how chaining multiple known CVEs and misconfigurations can yield a high‑impact breach without exploiting a novel flaw.
Mitigation should begin with an immediate revocation of all PATs and OAuth grants associated with the compromised application, followed by a forced rotation of all remaining tokens and SSH keys. Enforce fine‑grained token scopes, limiting “repo” and “admin:org” privileges to the minimal set of users, and require MFA for any token with write or admin capabilities. Deploy token usage monitoring via GitHub’s security log API to flag anomalous PAT creation and cross‑account API calls, and enable GitHub’s OAuth App restrictions to whitelist approved third‑party applications. Finally, reinforce SSO security by enforcing SAML attribute‑based access control, tightening redirect‑URI whitelisting, and deploying Conditional Access policies that block OAuth consent flows originating from unauthenticated or untrusted domains. These controls will reduce the attack surface for credential‑theft campaigns and limit the blast radius of any future token compromise.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments