Detects when a public code repository is created on GitHub.

Query

Extract public repository creation logs from GitHub audit logs in real-time.

| search action == "repo.create" and visibility == "public"
| rename actor_ip as src_ip

Message

• GitHub public repo created: actor $actor, repository $repo

Output Field Order

• _log_time, src_ip, actor, action, repo, visibility, public_repo, actor_is_bot, user_agent, request_id, operation_type

Threat Analysis

• An attacker who has obtained credentials from the internal environment may use them to create publicly accessible repositories on GitHub.
• If internal data is exfiltrated through public GitHub repositories, the activity may blend in with normal GitHub traffic patterns, making early detection difficult.
• A representative case occurred on November 25, 2025: the Sha1-Hulud worm created public GitHub repositories automatically after being installed through an infected NPM package, exfiltrating credentials collected from developer endpoints.

False Positive

• This alert will also trigger when public repositories are intentionally created. Since creating public repositories is not common in most organizations, events can be reviewed and dismissed, or specific naming patterns can be added as exceptions.

Response Actions

• Change Repository Visibility

  • Immediately convert any unintended public repositories to private.

• Revoke API Tokens and Invalidate Authentication

  • Revoke all GitHub Personal Access Tokens (PATs) suspected to be affected.

• Investigate the Creator Account and Endpoint

  • Use the account, user agent, and source IP address to identify where the unexpected activity originated, and investigate potential malware infection paths.

• Assess GitHub Impact

  • Examine activity around the time of the incident for unauthorized permission grants, workflow creation, or other unusual behavior.

• Recovery Measures

  • If malware is detected on endpoints, remove it and take measures to prevent reinfection through similar methods.
  • Issue new API tokens to replace revoked ones.

MITRE ATT&CK

• Tactic

  • Exfiltration

• Technique

  • Name: Exfiltration Over Web Service: Exfiltration to Code Repository
  • ID: T1567.001
  • Reference: https://attack.mitre.org/techniques/T1567/001/