An employee’s personal GitHub repository can act like a ticking timebomb, and could also lead to exposing the company’s secrets to the world. As per a report from Aqua Nautilus, a security research team at Aqua Security, employees using personal GitHub repositories for side projects, mainly at Microsoft Azure, Tigera, and Red Hat, are unknowingly exposing corporate secrets and credentials to threat actors.
Believe it or not, personal repositories on GitHub can become corporate nightmares, as employees may use them to store or share work-related code, bypassing company security protocols.
This creates a “Shadow IT,” a dangerous blind spot for IT security teams. Shadow IT involves employees using IT systems without department approval or proper security controls, often installing unauthorized software on company computers, particularly in cloud-native development.
Researchers discovered that Microsoft was exposed to a privileged Azure Container Registry Token, allowing unauthorized access to internal Azure projects and potentially overwriting private images.
Further probing revealed that a Microsoft employee’s git commit exposed credentials to an Azure Container Registry, allowing access to critical images for Azure projects like Azure IoT Edge, Akri, and Apollo. This privileged access allowed private images to be downloaded and uploaded, potentially allowing malicious code to run within the Azure environment.
“We reported this issue to Microsoft, which then promptly invalidated the token, deleted the employee’s commit, and assigned this security incident an important severity,” report authors Yakir KadkodaAssaf Morag noted.
Similar exposures were also identified at RedHat and Tigera personal GitHub repositories. RedHat employees accidentally exposed tokens for internal container registries, which could lead to information leakage and supply chain attacks. After being notified, RedHat promptly invalidated the tokens, reviewed their internal credentials, and informed relevant owners.
Tigera’s internal container registry (quay.io/tigera) credentials were exposed in a Git commit of another company, containing images from various Tigera projects. When notified, Tigera invalidated the token and launched an investigation, which confirmed it was a scoped token, posing no risk to Tigera.
Nevertheless, Cloud credentials act as digital keys, allowing access to sensitive data and resources. If exposed on GitHub, anyone with an internet connection could gain access to an organization’s Azure or Red Hat environments.
To mitigate security risks, regularly scan the internet for exposed environments or secrets, encourage employees to regularly scan personal accounts, implement least privilege with scoped keys, and limit secret lifespan with expiration dates.
