Connect with us

Hi, what are you looking for?


Cloud Security

IAM Credentials in Public GitHub Repositories Harvested in Minutes

A threat actor is reportedly harvesting IAM credentials from public GitHub repositories within five minutes of exposure.

Credential Harvesting in GitHub Repositories

A threat actor is harvesting identity and access management (IAM) credentials from public GitHub repositories within five minutes of exposure, cybersecurity firm Palo Alto Networks warns.

The activity, tracked as EleKtra-Leak, has been ongoing for at least two years, allowing the threat actor to set up multiple AWS Elastic Compute (EC2) instances and use them in cryptojacking campaigns that have been ongoing for at least two years.

As part of the EleKtra-Leak operation, the threat actor has been using automated tools to clone public GitHub repositories and harvest AWS IAM credentials from them, but blocklisting repositories routinely exposing such credentials, to avoid honey traps set up by security researchers.

According to Palo Alto Networks’ Unit 42 research team, the attackers appear to only harvest credentials exposed in plaintext. Furthermore, the exposed keys can be used only if GitHub does not identify them and does not notify AWS, which would automatically quarantine the associated user to prevent abuse.

“Even when GitHub and AWS are coordinated to implement a certain level of protection when AWS keys are leaked, not all cases are covered. We highly recommend that CI/CD security practices, like scanning repos on commit, should be implemented independently,” Palo Alto Networks underlines.

The EleKtra-Leak operation relies on the real-time scanning of GitHub repositories for exposed secrets, and on the creation of multiple EC2 instances per accessible AWS region, for cryptojacking.

Palo Alto Networks said the attackers are performing multiple operations within minutes but successfully keeping their identity obscured, likely by using automated tools behind a VPN. Between August 30 and October 6, the security firm identified 474 unique miners believed to be attacker-controlled EC2 instances.

“Because the actors mined Monero, a type of cryptocurrency that includes privacy controls, we cannot track the wallet to obtain exact figures of how much the threat actors gained,” Palo Alto Networks says.

Advertisement. Scroll to continue reading.

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Related: Stolen GitHub Credentials Used to Push Fake Dependabot Commits

Related: GitHub Enterprise Server Gets New Security Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...