Many companies rely on GitHub Action Secrets to keep sensitive data like passwords, API keys, and tokens safe during their development processes. These secrets are stored privately within repositories, leading many to believe they are well protected. However, new research shows that attackers are finding ways to exploit these secrets and jump straight into cloud environments. This raises serious concerns about security in the software development world.

The Hidden Risks of GitHub Action Secrets

While GitHub Action Secrets are meant to be private, they are not completely safe. A recent study by the Wiz Customer Incident Response Team revealed that threat actors are using exposed Personal Access Tokens (PATs) to access these secrets. Once inside, they can move into cloud platforms like AWS, Azure, or Google Cloud, gaining control over critical resources. Many organizations are unknowingly storing cloud credentials in their private repositories, making this a widespread issue.

Experts say that these tokens act as a kind of backstage pass, giving attackers the ability to impersonate developers and automation bots. With this level of access, they can perform anything a legitimate user could—such as running commands, modifying settings, or even spinning up new cloud resources. This kind of access can turn into a full-blown security breach, with attackers stealing data, deploying malware, or establishing persistence for future attacks.

How Attackers Exploit GitHub Secrets

One major vulnerability is that even basic read permissions on a PAT are enough for attackers to scan repositories using GitHub’s API. They can search for secret names embedded directly in workflow files, often in plain text like “${{ secrets.SECRET_NAME }}”. Unfortunately, these search activities aren’t logged, making it difficult for security teams to spot suspicious activity.

Additionally, because GitHub Actions run from shared, legitimate IP addresses managed by GitHub, malicious activity can blend in with normal traffic. Attackers can misuse secrets, impersonate workflows, and access other resources if the code is poorly configured or reused across projects. This makes it easier for them to hide their malicious actions and prolong their presence in a compromised environment.

Once inside, threat actors can explore cloud configurations, access sensitive data, or even create new resources. They can spin up virtual machines, access databases, or steal source code—all while setting up ways to return later. The damage can escalate quickly, especially if cloud credentials are exposed, giving attackers the keys to a company’s entire cloud infrastructure.

This situation underscores the importance of treating secrets with the same level of security as passwords. Organizations need to be aware that storing cloud access keys in GitHub repositories can be risky and should implement better controls to prevent leaks. Regular audits, secret management tools, and monitoring API activity can help reduce these threats.

In the end, the message is clear: secrets stored in GitHub repositories are not as secret as they seem. Attackers are actively exploiting these vulnerabilities, putting cloud environments at risk. Companies must rethink how they handle sensitive data and improve their defenses to stay ahead of these emerging threats.

Inspired by

• https://www.infoworld.com/article/4103696/github-action-secrets-arent-secret-anymore-exposed-pats-now-a-direct-path-into-cloud-environments.html

Sources

• wiz.io
• beauceronsecurity.com
• infotech.com