A Codespace is a credential aggregation point: devcontainer secret theft
A tampered devcontainer runs attacker code on Codespace creation, lifting the GITHUB_TOKEN, Codespaces secrets, and cached cloud creds. Deleting the container does not undo it.
A Codespace is a cloud dev environment handed a GITHUB_TOKEN, your Codespaces secrets, and often cached cloud credentials. That makes it a single, juicy credential aggregation point.
How the attack works
A malicious pull request modifies the repo’s devcontainer to add a postCreateCommand. When a developer opens a Codespace on that branch, the lifecycle hook runs attacker code, dumps the process environment, and POSTs the Codespaces secrets and GITHUB_TOKEN to an external collector. The stolen token then reads private repositories beyond the one in the Codespace, and AWS credentials cached in the dev container are used to list and read an internal artifact bucket. In ATT&CK terms this is T1552, Unsecured Credentials, and T1528, Steal Application Access Token, with reuse mapping to T1078, Valid Accounts, and T1213, Data from Information Repositories.
Why it works
Untrusted code executes automatically on creation with a rich secret set already present in the environment, and the devcontainer change rode in through an unreviewed pull request. A Codespace concentrates a repo token, your configured secrets, and cached cloud credentials in one place, so a single lifecycle hook can harvest all of them at once.
How to fix it
The non-obvious move is that deleting the container does not invalidate credentials that already left it. You must stop and delete the Codespace, revoke its GITHUB_TOKEN and the user’s tokens and sessions, then rotate every Codespaces secret and cloud credential reachable from that environment, which makes the stolen copies worthless. For the class fix, require review and approval for devcontainer changes, scope Codespaces secrets to the repos that need them, and minimize standing cloud credentials inside dev environments. Scope actual access from the GitHub audit log plus the cloud provider access logs over the attacker window.
Practice it
We built this as a GraphLattice Range scenario so teams can rehearse the env-exfil chain, the revoke-and-rotate-everything-reachable containment, and the framing that a dev box holding prod creds is a prod exposure.