GitHub Nord Stream tool signature detected
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects GitHub API activity matching hardcoded artefacts from the Nord Stream secret extraction tool, including its fixed workflow filename, branch name, and browser user-agent string used on programmatic API calls.
Strategy
This rule monitors GitHub API requests for static values hardcoded in Nord Stream’s constants.py. Nord Stream is an open-source tool that extracts secrets from GitHub CI/CD pipelines by enumerating secrets, temporarily disabling branch protections, pushing a malicious workflow, and cleaning up all evidence. Because these values do not change between runs, their presence in logs is a reliable indicator that the tool was used and warrants immediate investigation.
Triage and response
- Examine recent API activity by
{{@github.actor}} for other Nord Stream indicators such as secret enumeration, branch protection changes, or workflow run deletion. - Identify which repositories
{{@github.actor}} accessed and determine whether access to those repositories is expected for this identity. - Review the token or credential used for the API calls and determine whether it has been compromised or is being used outside of its intended scope.
- Check whether any workflow runs were created on short-lived branches and whether their logs have been deleted.
- Determine whether branch protection rules were modified on any repository immediately preceding or following this activity.
