Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: exploitation is unconfirmed but active reconnaissance is evidenced by at least one confirmed private repository clone, aged ghost accounts reduce detection friction, and exposed PATs/OAuth tokens are a well-understood and routinely exploited attack surface against GitHub organizations. Impact is high because successful follow-on access to build-adjacent private repositories creates a direct pathway to supply chain compromise — IP theft, embedded credential exposure, and downstream dependency injection — consequences that extend well beyond the initial GitHub environment.
Treatment rationale: The threat is active, the attack surface (dormant accounts, exposed tokens) is controllable through direct security action, and the downstream supply chain consequences are severe enough that transfer or acceptance would leave unacceptable residual risk.
Third-Party / Supply-Chain Risk
GitHub is a shared SaaS platform and a critical node in most software supply chains; attacker access to private repositories hosted there exposes not only the organization's own code but also any third-party dependency configurations, build pipeline credentials, or submodule references embedded in that code. Organizations using GitHub Actions, GitHub Packages, or third-party CI/CD integrations (e.g., CircleCI, Jenkins) via OAuth app grants face compounded exposure: a compromised OAuth token may propagate access beyond GitHub itself. Per NIST SP 800-161, any vendor or downstream customer whose software is built from affected repositories should be treated as a potentially impacted party in supply chain risk assessment.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M per materially affected organization, scaling with the sensitivity of exposed source code and whether build pipeline compromise is confirmed
Frequency: Illustrative: organizations with dormant GitHub accounts, publicly exposed PATs, or broad OAuth app grants face an estimated 1-in-3 to 1-in-5 annual probability of meaningful unauthorized repository access given the campaign's observed methodology and the prevalence of token exposure across public repositories
Annualized: Illustrative ALE: $100K–$1.5M per year for an exposed mid-to-large enterprise, weighted toward the higher end if build pipeline access is in scope
Basis: Loss magnitude anchored to: (1) IP theft and proprietary business logic exposure as primary loss event — magnitude driven by competitive sensitivity of the code and remediation cost of rotating embedded credentials at scale; (2) incident response and forensic investigation costs for a GitHub-scope compromise; (3) supply chain downstream notification and remediation costs if build artifacts are affected. Frequency anchored to: active campaign evidenced by Datadog Security Labs, widespread PAT/OAuth token exposure as a documented, persistent problem across GitHub, and the low friction of aged ghost account abuse. No third-party actuarial or benchmarking data was used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Unauthorized access to private source code repositories containing embedded credentials or customer data may invoke breach-notification obligations under applicable state or national data protection law — verify with counsel.
• If private repository contents include regulated data (PII, PHI, payment data), access by an unauthorized party could trigger cyber-insurance notice obligations under the policy's discovery or knowledge provisions — verify with broker.
• Software supply chain contamination affecting downstream customers or partners may trigger contractual notification or indemnification clauses in software licensing or SaaS agreements — verify with counsel.