Skip to content

jsoref/2026-06-16-credential-leak

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 

Repository files navigation

2026-06-16-credential-leak

Notes about github cli credential leak 2026-06-16

Event

  • GitHub notifications for ~4AM Eastern indicated access from a location while the jsoref account user was asleep
  • Event log showed a number of OAuth actions including creating repositories that attempted to steal additional credentials

Corrective Actions

  • 2026-06-16 jsoref removed jsoref from check-spelling and a number of other orgnizations to isolate the account
  • 2026-06-16 jsoref the check-spelling dns fail safe was enabled for v0.0.26 with a generic message (Sorry)
  • 2026-06-16 jsoref removed all github/oauth applications and rotated github password
  • 2026-06-16 jsoref reported the account compromise to github (this is harder than one might imagine as there's no fast path through support for this)
  • All GitHub OAuth + GitHub Apps were deleted
  • SSH keys were rotated
  • Account passwords were changed (including for GitHub)
  • All Docker Hub account PATs were revoked (Docker Hub credentials were only used to enable higher pull access)

Investigated leaked credentials

GarnerBuild/dummy

  • Secrets were all dummies

check-spelling-sandbox/stack

  • Credential was a dummy -- the value was gibberish. It was probably set up so that a workflow would run past a certain point

check-spelling-sandbox/realopinsight

  • Credentials were dummies -- the username was test-test-test and the password was gibberish. They were probably set up so that a workflow would run past a certain point

check-spelling-sandbox/test-5

  • CHECK_SPELLING (there is no corresponding deploy key)
  • KEY (would have related to an obsolete repository that was archived 2025-Dec -- by which point there were no deploy keys for the repository)

check-spelling-sandbox/pixelfed

  • Potentially Docker credentials for use to publish pixelfed -- there is no such docker repository (in fact, there are no repositories)

Investigation

The GitHub cli oauth token was stolen from jsoref's primary computer. It's unclear how. In general, each gh instance gets its own token (we determined this through testing). It is generally stored in a system key store (e.g. macOS). But it returned any time you run gh auth token, so anything that can run commands as the user on a system can get it.

Evidence of compromise beyond event logs

  1. The attacker performed artifact.destroy and workflows.delete_workflow_run to hide action runs (future runs would show counting discontinuities, but as these repositories were abandoned and had no real secrets, that would never happen).

  2. The attacker named the workflows with a . prefix to try to hide the file (.github-actions-lint.yml) with lots of verbiage relating to lint (this doesn't actually fit with jsoref's patterns, but it's likely a generic attack of sorts). Each workflow includes the same template ("common secrets") as well as any secrets that are listed in the repository's secrets list.

  3. The attacker pushed a second commit to delete their commits:

About

Notes about credential leak 2026-06-16

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors