GitHub OAuth access credentials could be used to compromise OAuth-authenticated apps. And GitHub personal access tokens with too broad of permissions could download pretty much anything, including any secrets stored in GitHub Actions.
But getting the source code is pretty bad by itself. Not from an intellectual property standpoint, but because I've never seen a company whose developers didn't commit live credentials into their source code.
If they had access to GitHub Actions creds, I'm assuming the attackers could also push releases. I wonder how much malware is now in the wild because of this breach
> I've never seen a company whose developers didn't commit live credentials into their source code.
I don’t do that, but I’m pretty pathological about stuff like that.
I learned it from the company I used to work for, who were paranoid to the point of lunacy, about Chinese hackers (they were breached once, and took the lesson to extremes).
I don’t think they are an outlier. I’ll bet lots of companies are just as tinfoil.
It’s a downright unbearable development environment, though.
Github secrets are encrypted, right? I didn't think there was any way to access them without running a github actions job that deliberately uploads them somewhere else (or echos them into the log with rot13/base64 or something else).
But getting the source code is pretty bad by itself. Not from an intellectual property standpoint, but because I've never seen a company whose developers didn't commit live credentials into their source code.