GitHub Attack – branches sending secrets to webhook

6 points danieldspx | 3 comments | 15 Sep 25 18:02 UTC | HN request time: 0.493s | source

A lot of repos are being under attack where branches are being created under the name [REDACTED] to trigger GH actions and send all secrets to a webhook website. This is new and here is an example:

[REDACTED]

Just search on github and you will see planty repos.

1. danieldspx ◴[15 Sep 25 19:07 UTC] No.45253693[source]
I redacted the names to avoid spreading and teaching people how to get other people's secrets. I am in contact with Github and will update here once they solve the issue.
2. patbuchanan ◴[15 Sep 25 22:45 UTC] No.45255897[source]
We got hit. Cleaned up but still trying to find the origin. Assuming a VS Code plugin at this point that must have been poisoned. Have you found anything?

You can see if your account is leaking by searching for any branches of that [REDACTED] name:

for repo in $(gh repo list YOUR_ACCOUNT --json name -q '.[].name'); do if gh api repos/YOUR_ACCOUNT/$repo/branches/REDACTED &>/dev/null; then echo " Found 'REDACTED' in: $repo" fi done