GitHub wasn't hacked on May 19, 2026. GitHub.com is fully operational, all metrics green. But within the same news cycle, three incidents converged — and they all share the same wound: tokens, credentials, and secrets abandoned in CI/CD pipelines.
Grafana Labs lost its entire codebase. CISA, the United States' own cybersecurity agency, exposed plaintext passwords and cloud keys in a public repository. And Shai-Hulud 2.0, a worm that began in November 2025, has now infected over 30,000 repositories and stolen more than 500 GitHub credentials.
Three stories. One pattern. The enemy isn't breaking down the door — they're using the keys we left under the doormat.
1. Grafana Labs — How a GitHub Actions Token Surrendered the Entire Codebase
What Happened
Grafana Labs, the company behind the popular open-source observability stack, disclosed on May 16 that an attacker gained access to their GitHub environment and downloaded their entire private codebase. The extortion group CoinbaseCartel — an offshoot of ShinyHunters, Scattered Spider, and LAPSUS$ — claimed responsibility and demanded ransom. Grafana refused to pay.
How They Got In
The attack vector was surgical. No password cracking, no phishing. The attackers exploited a known vulnerability called "Pwn Request" in GitHub Actions:
They found a workflow using
pull_request_targetthat was misconfigured. This GitHub Actions event runs in the context of the base repository — not the fork — and has access to the original repository's secrets. If not properly sanitized, anyone can fork the repo, modify the workflow, and execute arbitrary code with privileged permissions.They forked a public Grafana repository and modified the workflow to inject a
curlcommand that exfiltrated environment variables to a file, encrypting it with the attacker's private key.The environment variables contained the privileged token. A GitHub access token that could clone private repositories. Once obtained, the attackers replicated the attack against four additional internal repositories and downloaded the entire codebase.
Covered their tracks. The fork was deleted immediately after the attack.
How They Caught It
Grafana had deployed canary tokens — decoys that, when accessed, trigger an automatic alert to the security team. One of those tokens fired during exfiltration, enabling rapid containment.
What Grafana Did Right
- Immediately invalidated compromised credentials.
- Removed the vulnerable GitHub Action.
- Disabled all workflows in public repositories.
- Was transparent: communicated the incident via an X thread within 48 hours.
- Followed FBI guidance: refused to pay ransom.
2. CISA — The U.S. Cybersecurity Agency Exposed Its Own Keys
The irony borders on literary. The Cybersecurity and Infrastructure Security Agency (CISA), responsible for protecting the U.S. federal government's digital infrastructure, exposed plaintext credentials in a public GitHub repository.
What Happened
A CISA contractor uploaded spreadsheets containing passwords, AWS GovCloud keys, access tokens, and other secrets to a publicly accessible repository. Security researcher Guillaume Valadon of GitGuardian found them before any attacker did. He tested some keys — and they were valid. They had access to CISA and Department of Homeland Security systems.
Valadon reported the finding to journalist Brian Krebs because the CISA contractor did not respond to GitGuardian's alerts.
What It Reveals
This was not a sophisticated attack. It was basic operational negligence: credentials in unprotected files, in a repository without access controls, maintained by an external contractor without oversight. CISA — the agency that issues cybersecurity guidance for the entire federal government — violated its own first rule.
CISA stated there is "no indication that any sensitive data was compromised." But the fact that the keys were still valid when Valadon found them means the exposure window was real.
3. Shai-Hulud 2.0 — The Silent Worm That Infected 30,000 Repos
What Happened
Shai-Hulud 2.0 is a supply chain malware campaign that began in November 2025 and remains active. As of May 2026, Wiz Research tracks:
- 30,000+ compromised repositories
- 500+ exposed GitHub credentials
- 60% of stolen npm tokens still valid
- Malicious packages published under victims' legitimate accounts
How It Works
The worm spread through malicious npm packages — notably @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3. Once installed on a CI/CD runner (primarily GitHub Actions), the malware:
- Scans the environment for GitHub tokens, npm tokens, and cloud credentials.
- Uses TruffleHog to extract secrets from files.
- Automatically creates public repositories under the victim's account, filled with stolen data.
- Replicates using one victim's tokens to infect under another's identity — what Wiz calls "cross-victim exfiltration." This makes tracing the origin extremely difficult.
77% of infections occurred on CI/CD runners, not developer machines. Automated environments are the target because they have access to secrets.
The Pattern: Your CI/CD Pipeline Is Your New Security Perimeter
Let's put the three incidents side by side:
| Incident | Attack Vector | What Was Exposed | Who Detected It |
|---|---|---|---|
| Grafana Labs | Unsanitized pull_request_target in GitHub Actions |
GitHub token with access to private codebase | Internal canary token |
| CISA | Unprotected spreadsheet in public repo | Passwords, AWS GovCloud keys, DHS tokens | GitGuardian (external researcher) |
| Shai-Hulud 2.0 | Malicious npm package executing in CI/CD | 500+ GitHub credentials, npm tokens, cloud keys | Wiz Research |
Three different vectors. The same root vulnerability: the CI/CD pipeline has access to production secrets and almost nobody audits it with the same rigor they audit production code.
The pipeline is the new perimeter. And in most organizations, it's wide open.
Checklist: Is Your Pipeline Exposed?
Audit your repositories and GitHub Actions workflows with these questions. If the answer to any is "I don't know" or "no," you have a risk to address:
Do you use
pull_request_targetin public workflows? If yes, is every step explicitly sanitized to prevent executing code from the fork? If you can't answer with certainty, disable it until you've audited it.Do your public workflows have access to secrets? Workflows in public repositories should never have access to tokens that can clone private repos, publish packages, or modify infrastructure. Use separate environments with manual approval gates.
Do you rotate CI/CD secrets periodically? A token that doesn't rotate is a master key with no expiration date. If a token leaked six months ago, the fact that nothing happened doesn't mean it's safe — it means the attacker hasn't used it yet.
Do you have secret detection across all repositories? GitGuardian, TruffleHog, GitHub Secret Scanning — use at least one. But don't just scan source code: scan issues, wikis, pull requests, and GitHub Actions logs. Secrets show up where you least expect them.
Have you implemented canary tokens? The Grafana lesson: canary tokens turn a silent theft into immediate detection. They're cheap to deploy and have zero false positives — if one fires, it's real.
Do you review workflow dependencies? Every third-party action you use in your pipeline (
actions/checkout,docker/login-action, etc.) is an attack surface. Pin them to a specific commit hash, not a branch or mutable tag.Are CI/CD runners isolated from production? A CI runner should not have network access to your production databases, Kubernetes clusters, or internal APIs. If the runner gets compromised, the blast radius should be contained.
Do you know what tokens every external collaborator has? Contractors, freelancers, and external agencies are an underestimated risk vector. CISA learned this the hard way. Audit every external collaborator's permissions on your repositories.
How Guayoyo Tech Can Help
At Guayoyo Tech, we're not a traditional cybersecurity company — and that's exactly the point. We won't sell you a $15,000/month SOC. We help you with what you actually need: hardening your development pipelines without paralyzing your team.
GitHub Actions & CI/CD Security Audit
- We review all your public and private workflows.
- We identify excessive permissions, mismanaged secrets, and attack surfaces like unsanitized
pull_request_target. - We deliver an executive report with prioritized actions — not a 200-page PDF, but what you need to fix tomorrow.
Continuous Secret Detection
- We configure GitGuardian, GitHub Secret Scanning, or TruffleHog across your repositories.
- We automate alerts so an exposed secret doesn't survive more than minutes.
- We integrate detection into your pipeline: if a commit contains a credential, the build fails.
Canary Tokens & Integrity Monitoring
- We deploy canary tokens across your repositories and CI/CD environments.
- We configure automatic alerts when a decoy token is accessed.
- We monitor anomalous activity in your workflows: executions from unauthorized forks, environment variable changes, off-hours access.
Automated Secret Rotation
- We implement periodic rotation of GitHub, npm, Docker Hub, and cloud provider tokens.
- We integrate with HashiCorp Vault or GitHub Secrets Manager so no secret lives longer than 90 days.
You don't need to be Grafana for this to happen to you. You just need one misplaced token in the wrong place.
The difference between Grafana and most organizations isn't that Grafana was more vulnerable — it's that they had canary tokens and caught it. Most companies don't find out until their code is already on an extortion forum.
At Guayoyo Tech, we audit CI/CD pipelines and harden development environments. No fear-mongering. Real prevention.
Book a free discovery call. We'll review your GitHub Actions workflows and tell you exactly what to fix, no commitment.
Top comments (0)