Detects external downloads of ZIP archives from private GitHub repositories.

Query

Extract ZIP download events for private repositories from GitHub audit logs in real-time. External downloads are identified by filtering source IP addresses that do not belong to internal network ranges.

| search action == "repo.download_zip" and visibility != "public"
| rename actor_ip as src_ip, actor as user
| matchnet guid="bb994ca4-1471-4b91-89f2-99a61bd529b5" field="src_ip" invert=t

Message

• GitHub download ZIP: user $user ($src_ip), repository $repo

Output Field Order

• _log_time, src_ip, user, action, repo, visibility, user_agent

Threat Analysis

• An attacker who has obtained internal GitHub credentials or a Personal Access Token (PAT) may download private repository source code directly from an external network.
• ZIP downloads allow a large amount of source code and assets to be exfiltrated quickly in a single archive, making them an attractive method for data theft.
• In normal development workflows, most access occurs from internal networks or VPN connections; therefore, private repository downloads from external IP ranges carry a high level of risk.
• In recent incidents, compromised developer endpoints infected with malware initiated ZIP downloads directly from attacker-controlled servers, resulting in the exfiltration of source code and credentials.

False Positive

• Users working legitimately from external locations—such as business trips, home networks, or situations where VPN was not used—may trigger this alert.
• Automated scripts or CI/CD jobs that run from external IP ranges may also appear as suspicious downloads.
• If external partners are granted limited access to download private repositories, such authorized activities may also appear in detections.

Response Actions

• User Verification and Activity Validation

  • Immediately confirm with the user whether the download was intentional.
  • Inspect the user’s endpoint or automation environment for abnormal processes or potential credential exposure.

• Repository Access Review

  • Check whether the user has excessive access to repositories and adjust privileges according to the principle of least privilege.

• PAT and Credential Revocation

  • If credential compromise is suspected, revoke any associated PATs, SSH keys, and OAuth tokens and reissue new ones.

• Investigate Suspicious Download Patterns

  • Look for multiple ZIP downloads by the same user in a short period or unusual User-Agent strings or sudden IP changes.

• Security Hardening

  • Consider enforcing MFA for external GitHub access and implementing repository download restrictions.
  • If malware infection is detected on the endpoint, isolate the device, remove the malware, and ensure prevention measures are in place.

MITRE ATT&CK

• Tactic

  • Exfiltration

• Technique

  • Name: Exfiltration Over Web Service: Exfiltration to Code Repository
  • ID: T1567.001
  • URL: https://attack.mitre.org/techniques/T1567/001/