Connect with us

Hi, what are you looking for?


Security Infrastructure

GitHub Rotates Publicly Exposed RSA SSH Private Key

GitHub replaced the RSA SSH private key used to secure Git operations for after it was exposed in a public GitHub repository.

Microsoft-owned code hosting platform GitHub said that it has replaced the RSA SSH private key used to secure Git operations for

The key, the platform said, was briefly exposed in a public GitHub repository and was not leaked following a GitHub compromise. No customer information was impacted, the company says.

According to the software collaboration platform, the key could have been used to impersonate GitHub or eavesdrop on customers’ Git operations over SSH.

“This key does not grant access to GitHub’s infrastructure or customer data,” GitHub said in a Friday announcement.

GitHub also noted that the key was exposed as result of “an inadvertent publishing of private information”.

“We have no reason to believe that the exposed key was abused and took this action out of an abundance of caution,” GitHub said.

With only’s RSA SSH key replaced, no action is required from ECDSA and Ed25519 users. The leak did not impact web traffic to or HTTPS Git operations either.

Advertisement. Scroll to continue reading.

“We have now completed the key replacement, and users will see the change propagate over the next thirty minutes. Some users may have noticed that the new key was briefly present beginning around 02:30 UTC during preparations for this change,” GitHub said on Friday

The platform also provided instructions on how customers can manually remove the old key and add the new RSA SSH public key. GitHub Actions users may also need to take action.

According to code security platform GitGuardian, the accidental exposure of secrets in public repositories is not surprising. In 2022, the firm found over 10 million new secrets exposed and says that one out of ten committers exposed a secret last year.

“If you have exposed a secret publicly, you are certainly not alone. GitHub serves as a good reminder we must stay vigilant in our security practices, no matter how large our team,” GitGuardian notes.

Related: GitHub Revokes Code Signing Certificates Following Cyberattack

Related: Attackers Can Abuse GitHub Codespaces for Malware Delivery

Related: GitHub Secret Scanning Now Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).