SAAS-GH-PAT-LEAKCredential Access

GitHub Personal Access Token Leak

GH PAT committed to a public / forked / Gist repo — full read/write to the user's repos, packages, deploy keys.

§ Where this technique fits

SAAS-GH-PAT-LEAK is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Leaked GitHub PAT → org takeover → supply-chain push
A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.
step 2 / 6

§ What commonly comes next

01
Account Discovery
T1087 · Discovery
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Leaked GitHub PAT → org takeover → supply-chain push

§ What commonly comes next