GitHub Employee Token Exposed: Thousands of Secrets in Cloud Dev Environments

A 17-year-old researcher scanned 22 million projects across four cloud development environments, uncovering thousands of active secrets. According to Cyber News - Erez Dasa, the most critical finding was a GitHub employee token that granted write access to github/github – GitHub’s central repository – and tens of thousands of GitHub’s private repositories.

This highly sensitive token, if compromised, could have enabled severe supply chain attacks. Cyber News - Erez Dasa highlights that with workflow permissions, the token could have been used to modify GitHub Actions pipelines, inject malicious code into GitHub’s production codebase, or pivot into downstream supply chain attacks. GitHub acknowledged the findings and rewarded the researcher with $20,000.

This incident underscores a critical, ongoing challenge: secrets sprawl in development environments. Even with robust security programs, sensitive credentials frequently leak into public or semi-public codebases, creating massive attack surfaces. Defenders must assume that secrets will inevitably escape and implement rigorous scanning, rotation, and least-privilege principles to mitigate the fallout.