One leaked token, your whole org's source code
A GitHub personal access token or OAuth grant is a password that skips MFA and often carries org-wide scope. Leak one and an attacker clones everything, then mines it for more secrets. Here is the path, and the fix.
Your source code is also where your team accidentally stored a hundred other credentials.
What it is
A GitHub personal access token (PAT) or OAuth app grant authenticates to the GitHub API without a password or an MFA prompt, and tokens are frequently over-scoped (full repo, org admin). An attacker who steals one, leaked in code or CI, phished, or pulled from a developer machine, clones every private repository, then mines the code and history for cloud keys, signing certs, and more tokens to pivot. This is T1528 (steal application access token) with T1213 (data from repositories) and T1552 (unsecured credentials).
Why it works
The token bypasses MFA, repositories are full of other secrets, and a single org-scoped token reaches far more than one project. Git history keeps secrets long after they are deleted from the latest commit.
How to detect it
Watch for repository cloning at unusual volume, API access from a new IP or location, a new PAT or OAuth app authorization, and access to repos a user does not normally touch, in the GitHub audit log.
The fix that holds
Prefer short-lived, fine-grained tokens and SSO-enforced access over long-lived classic PATs, require SSO and MFA for org access, and enable push protection and secret scanning. Restrict OAuth apps, rotate exposed tokens, and keep secrets out of code with a secrets manager.
Practice it
We built a GitHub token-and-org compromise scenario in GraphLattice Range so teams learn to catch the clone-and-mine pattern and revoke fast.