
A dark web user, Clear Voice, posted about a sale allegedly of GitHub developers' data. On 26 March the user stated that they were looking for buyers for GitHub.com usernames.
The data with a total of 4591 lines in two files includes the following:
The legitimacy of the data purportedly from GitHub could not be verified at the time of posting. However, it could be the result of vulnerability exploitation in the past.
It is not unusual for cybercriminals and dark web vendors to exchange and further exploit stolen credentials on breach forums for financial fraud and phishing scams.
The compromise of GitHub Action was recently in the news for exposing critical CI/CD secrets across multiple repositories.
Continuous Integration/Continuous Deployment (CI/CD) access may expose sensitive data like passwords, API keys, npm tokens, etc. required during the building, testing, and other phases of software development.
It was a supply chain attack that originated from an earlier breach of the ‘reviewdog/action-setup@v1’ GitHub Action via the exploitation of a vulnerability. It was further reported that the primary target of the GitHub breaches was Coinbase, the U.S.-based cryptocurrency exchange.
The attack was launched by injecting malicious code into reviewdog/action-setup@v1 GitHub Action.
GitHub was also impacted in a credentials leak incident in January this year with Cyble reporting the same naming large enterprise security vendors. The incident exposed critical internal systems such as GitHub, Jira, and AWS.
Customer credentials targeting WordPress, Microsoft, and Okta were also exposed in the breach.