MOXFIVE Threat Actor Alert - Git Credential Exposure

Threat actors are increasingly combining social engineering with Git credential harvesting, platforms such as GitHub, GitLab, and Bitbucket; using compromised developers as the entry point into production infrastructure and software supply chains. A compromised developer credential can provide access to production systems, customer data, cloud environments, and every downstream consumer of that code.

Recent Activity Overview

• Threat actors are using social engineering to target developers with Git access, turning a single compromised credential into supply chain access: Threat actors are posing as recruiters using fabricated companies, impersonated identities, and branded Slack workspaces. Once trust is established, they deliver malware through fake coding tests, fraudulent Zoom or Teams meeting links, and poisoned software packages. Reference: https://www.microsoft.com/en-us/security/blog/2026/03/11/contagious-interview-malware-delivered-through-fake-developer-job-interviews/
• Secrets committed to Git history persist after deletion: Git is designed to retain every version of every file ever committed. A secret removed from the current work tree remains intact in prior commits, retrievable by anyone with repository access, and that history propagates to every fork, clone, and backup. Rotate exposed credentials immediately; history purging is secondary. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
  
• Compromised GitHub Actions resulting in cascading supply chain attacks: One poisoned Action captures CI/CD secrets that are then used to compromise other Actions, creating a chain reaction across unrelated organizations. Reference: https://best.openssf.org/SCM-BestPractices/
• GitHub’s Git operation logging creates a critical gap for incident response:

• Git clone, fetch, and push events are retained for only seven days, without external log streaming, evidence of repository cloning or exfiltration will be gone before most investigations begin.
• The broader audit log covers web and API activity for 180 days but does not include Git operations.
• Reference: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise

Recommendations

• Centralized secrets management for all credentials
• Pre-commit scanning to block secrets before they enter repository history
• Server-side push protection to reject commits containing recognized secret patterns
• Mandatory multi-factor authentication and hardware security keys for all accounts with publish or commit access
• Corporate devices should not be used to execute code, install packages, or join meeting links provided by external parties outside of authorized business activities
• Aggregate historical Git operation logs

How MOXFIVE Can Help

The MOXFIVE Digital Forensics and Incident Response (DFIR) team provides deep technical and investigative experience combined with our agentic forensics platform to quickly deliver reliable and actionable findings for our clients.

The MOXFIVE Business Resilience team provides proactive security services and strategic advisory support backed by MOXGUARD. If you need ongoing advisory guidance or to strengthen your developer security posture prior to an incident, reach out to our team at proactive@moxfive.com.
‍
If you have questions or are experiencing an incident, contact us at 833-568-6695 or email our team at incident@moxfive.com.