Credentials leaked on GitHub

Postmortem about the incident that could have affected artifacts on

What happened?

Photo by Amol Tyagi on Unsplash

What was leaked?

What were the threats?

  • Removal of published items. This is destructive, but not too malicious as we have regular backups.
  • Some jars could be tampered with to add classes with malicious code that can run on the systems where they are deployed.
  • Some pom.xml files could be modified to add/change dependencies so that downstream consumers would fetch those dependencies (with potentially malicious code).

How was it mitigated?

Has there been any malicious usage of those credentials?

What was audited?

If a file was tainted, it’s mtime can only be between the leak date and the time we revoked the credentials.

  • All files with the same triplet GAV must not differ from each other for more than 1 hour
  • All files with the same goupId and version must not differ from each other for more than 6 hours
  • All files with the same version must not differ from each other for more than 2 days.

We managed to validate — to the best of our knowledge — that no release artifacts were tainted because of this leak. Unfortunately, we can’t do much for the snapshot artifacts. We know that about 13k of them are signed jars, but for the rest, it’s impossible to deny or confirm anything.

Is there anything I need to do for my project?

What are the plans to prevent this from happening again?

  • We will stop generating secrets inside the git repo folder so that such a file can never be committed again. Note that we were already having a .gitignore with the proper rules, but for some reasons it has not been enough.
  • We will enforce code reviews for all code submissions to sensitive CBI repositories.
  • We will grant permissions to projects only on repositories associated with the projects. This will help contain the potential radius blast of such a leak, would it happen again in the future.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store