A recent analysis by Flare highlights a disturbing reality for DevSecOps teams: the early warning signs of software supply-chain attacks are increasingly visible in dark web marketplaces. We are seeing a commoditization of developer access, with active sales of GitHub repository access, leaked source code, and stolen API keys. These aren't just theoretical risks; they are the footholds used to inject malicious commits into trusted software pipelines, echoing the devastating impact of historical supply-chain compromises.
For defenders, this shifts the paradigm. We cannot rely solely on static analysis of our own code; we must now treat the integrity of developer identities and external access tokens as a primary attack surface. If your organization's GitHub credentials or CI/CD tokens are being auctioned on a forum, your supply chain is already compromised, regardless of how strong your internal perimeter is.
Technical Analysis
Affected Products & Platforms:
- Platforms: GitHub (Enterprise & Cloud), GitLab, Bitbucket.
- Assets: CI/CD pipelines, Source code repositories, Private Package Registries (npm, PyPI), OAuth tokens.
The Attack Vector: Attackers leverage initial access brokers (IABs) or infostealers to harvest developer session cookies, Personal Access Tokens (PATs), and SSH keys. These assets are then trafficked on underground forums. The attack chain typically follows this pattern:
- Credential Acquisition: Phishing or malware infection of a developer's endpoint yields
~/.git-credentials, SSH keys, or browser session tokens. - Monetization: Credentials are listed on dark web forums.
- Supply Chain Injection: Purchasers use the valid credentials to push malicious code to public repositories (dependency confusion) or inject obfuscated malware into private build pipelines.
- Distribution: The compromised software is signed, built, and deployed to customers, bypassing standard signature verification.
Exploitation Status: Intelligence confirms active "live" sales of GitHub access with specific permissions (write/admin). Unlike dormant vulnerabilities, these credentials offer immediate, authenticated access to critical infrastructure. The barrier to entry is low, requiring no zero-day exploitation—merely the reuse of valid, stolen sessions.
Detection & Response
Detecting supply-chain attacks initiated via stolen credentials requires identifying anomalies in authentication patterns and code repository interactions. The following rules target the misuse of Git tools and the exfiltration or manipulation of repositories using compromised identities.
SIGMA Rules
---
title: Potential GitHub Credential Access via Git Process
id: 89b3c120-7d45-4a3e-8e1f-9a2b3c4d5e6f
status: experimental
description: Detects git processes attempting to read local credential storage files, often a precursor to credential dumping or exfiltration by malicious tools.
references:
- https://attack.mitre.org/techniques/T1552/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.credential_access
- attack.t1552.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\git.exe'
- '\\git-credential-manager.exe'
CommandLine|contains:
- '.git-credentials'
- 'config'
condition: selection
falsepositives:
- Legitimate developer operations or git configuration updates
level: low
---
title: Suspicious Remote URL Modification in Git
id: a1f2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects commands to change a git remote URL, which can indicate an attacker redirecting push operations to a malicious repository after stealing access.
references:
- https://attack.mitre.org/techniques/T1195/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\git.exe'
CommandLine|contains: 'remote set-url'
filter:
CommandLine|contains:
- 'github.com'
- 'gitlab.com'
- 'bitbucket.org'
condition: selection and not filter
falsepositives:
- Developers changing remotes for valid migrations or forks
level: medium
---
title: PowerShell GitHub API Interaction with Non-Standard UserAgent
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects PowerShell scripts interacting with the GitHub API. Attackers use this to enumerate repos or exfiltrate code using stolen tokens.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/05/12
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\\powershell.exe'
CommandLine|contains:
- 'api.github.com'
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
condition: selection
falsepositives:
- Legitimate DevOps scripts or GitHub CLI tools wrapping PowerShell
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for successful Git operations (specifically pushes) originating from endpoints that have not been seen performing this activity in the past 30 days, indicating potential use of stolen credentials by a new actor.
// Hunt for anomalous Git push operations
let TimeFrame = 1d;
let Baseline = 30d;
let GitProcesses = DeviceProcessEvents
| where Timestamp > ago(Baseline)
| where FileName in~ (\"git.exe\", \"git\")
| where ProcessCommandLine has \"push\"
| summarize dcount(DeviceId) by AccountName, AccountDomain;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (\"git.exe\", \"git\")
| where ProcessCommandLine has \"push\"
| join kind=leftanti (
GitProcesses
) on AccountName, AccountDomain
| project Timestamp, DeviceName, AccountName, AccountDomain, ProcessCommandLine, InitiatingProcessFileName, FolderPath
Velociraptor VQL
This artifact hunts for the presence of high-entropy strings (potential API keys) within configuration files in user directories, a common indicator of poor secret management or post-exploitation dumping.
-- Hunt for potential API Keys in config files
SELECT FullPath, Size, Mtime
FROM glob(globs=\"/*/Users/*/.git/config\", root=\"/\")
WHERE Size < 1000000
-- Further analysis would be required to regex scan contents,
-- this targets the file access artifacts often manipulated during theft.
-- Complementary Hunt for SSH keys
SELECT FullPath, Size, Mtime
FROM glob(globs=\"/*/Users/*/.ssh/id_rsa*\", root=\"/")
Remediation Script (PowerShell)
This script performs a local scan for hardcoded secrets in common configuration files and enforces a check on Git configuration settings to ensure credential helpers are securely configured.
# Security Arsenal - Supply Chain Hardening Script
# Check for exposed secrets and verify git configuration
Write-Host \"[+] Initiating Supply Chain Hardening Check...\"
# Define regex patterns for common high-entropy strings (AWS, GitHub, Generic API Keys)
$patterns = @(
'(?i)AKIA[0-9A-Z]{16}', # AWS Access Key
'(?i)ghp_[a-zA-Z0-9]{36}', # GitHub PAT
'(?i)sk-[a-zA-Z0-9]{48}' # Stripe Secret Key (Example of high entropy)
)
# Scan common config locations
$configPaths = @(
\"$env:USERPROFILE\\.git-credentials\",
\"$env:USERPROFILE\\.gitconfig\",
\"$env:APPDATA\
pm\
c\",
\"$env:USERPROFILE\\.aws\\credentials\"
)
$foundSecrets = $false
foreach ($path in $configPaths) {
if (Test-Path $path) {
Write-Host \"[!] Scanning file: $path\"
$content = Get-Content $path -Raw -ErrorAction SilentlyContinue
if ($content) {
foreach ($pattern in $patterns) {
if ($content -match $pattern) {
Write-Host \"[CRITICAL] Potential secret found matching pattern: $pattern in $path\" -ForegroundColor Red
$foundSecrets = $true
}
}
}
}
}
if (-not $foundSecrets) {
Write-Host \"[+] No obvious hardcoded secrets detected in local config files.\" -ForegroundColor Green
}
# Ensure Credential Helper is not storing secrets indefinitely (Example check)
Write-Host \"[+] Checking Git Credential Helper configuration...\"
$gitConfig = git config --global credential.helper 2>$null
if ($gitConfig) {
Write-Host \"[INFO] Current credential helper: $gitConfig\"
Write-Host \"[WARN] Ensure your credential helper integrates with OS keychain (e.g. manager-core) and does not cache indefinitely.\"
} else {
Write-Host \"[INFO] No global credential helper set.\"
}
Write-Host \"[+] Hardening check complete.\"
Remediation
To effectively mitigate the risk of supply-chain attacks originating from dark web leaked credentials, organizations must adopt a Zero Trust approach to development environments:
-
Immediate Credential Rotation: If indicators suggest compromise (e.g., detected in the rules above), rotate all GitHub Personal Access Tokens (PATs), SSH keys, and OAuth tokens immediately. Treat any credential exposed on the dark web as fully compromised.
-
Implement IP Allow-listing: Configure GitHub and GitLab organizations to restrict Git operations and API access to known corporate IP ranges or VPN egress IPs only. This renders stolen credentials useless to attackers outside the network perimeter.
-
Enforce Branch Protection Rules: Mandate that the
mainormasterbranches cannot be pushed to directly. Require Pull Requests (PRs) and enforce "Require status checks to pass before merging", including rigorous static analysis (SAST) and secret scanning. -
Shorten Token Lifespans: Reduce the expiration time for PATs and deploy keys. Use short-lived session tokens for CI/CD pipelines wherever possible, rather than long-standing static keys.
-
Enable Secret Scanning: Activate GitHub Advanced Security (or equivalent SaaS tools like TruffleHog or Gitleaks) to automatically scan repositories for committed secrets. Configure this to block pushes that contain detected secrets.
-
Developer Hygiene Training: Educate developers on the risks of malware (infostealers) on personal devices that may have access to corporate code. Mandate separate machines or strict containerization for corporate development work.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.