GitHub Attack – branches sending secrets to webhook
A lot of repos are being under attack where branches are being created under the name [REDACTED] to trigger GH actions and send all secrets to a webhook website. This is new and here is an example:
[REDACTED]
Just search on github and you will see planty repos.
We got hit. Cleaned up but still trying to find the origin. Assuming a VS Code plugin at this point that must have been poisoned. Have you found anything?
You can see if your account is leaking by searching for any branches of that [REDACTED] name:
for repo in $(gh repo list YOUR_ACCOUNT --json name -q '.[].name'); do if gh api repos/YOUR_ACCOUNT/$repo/branches/REDACTED &>/dev/null; then echo " Found 'REDACTED' in: $repo" fi done
I redacted the names to avoid spreading and teaching people how to get other people's secrets. I am in contact with Github and will update here once they solve the issue.
You can see if your account is leaking by searching for any branches of that [REDACTED] name:
for repo in $(gh repo list YOUR_ACCOUNT --json name -q '.[].name'); do if gh api repos/YOUR_ACCOUNT/$repo/branches/REDACTED &>/dev/null; then echo " Found 'REDACTED' in: $repo" fi done