A Look at Chariot’s Capability to Protect

On June 6, 2024, an anonymous user posted nearly 300 GB of stolen source code to 4chan. Per the user, the leak contained “basically all source code belonging to The New York Times”. The NYT later confirmed the leak and said the root case was an exposed GitHub token. 

Public source code platforms, such as GitHub, are a rising attack vector for attackers. GitHub users exposed millions of sensitive secrets to the internet in 2023 alone. Praetorian’s own Red Teams use these exposed secrets in customer engagements as entry points into client infrastructure. Beyond secrets, GitHub Actions has turned Github into a popular CI/CD pipeline, creating several new attack vectors. Praetorian previously wrote about GitHub CI/CD attacks and will present a detailed review of these novel techniques at Black Hat USA 2024.

To protect our clients from GitHub-based risks, Praetorian Labs built a new capability for Chariot’s toolbelt. You can now use this tool to secure your organization from hard-coded secrets, CI/CD misconfigurations, repository exposures, and more.

What is the GitHub Capability?

Chariot tracks GitHub repositories as assets along IP addresses, domain names, and other conventional attack surfaces. When users add a GitHub seed value (representing an organization or user) into Chariot:

• Chariot will spider every repository in the specified organization or user.
• If the seed specified an organization, Chariot will enumerate all public repositories belonging to each organization member.
• Chariot will then scan all identified repositories for:
  • Exposed secrets in the source code (using Nosey Parker)
  • CI/CD misconfigurations (using Gato)
  • Newly created public repositories (<24 hours).
  • Private repositories recently turned public (<24 hours).

How to Use the GitHub Capability

Chariot users can trigger the GitHub capability in two ways. The first is to add the GitHub URL of the user or organization (e.g., https://github.com/praetorian-inc) as a seed. This is possible through our UI or with Praetorian’s CLI tool: