---
title: GitHub Nord Stream tool signature detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GitHub Nord Stream tool signature
  detected
---

# GitHub Nord Stream tool signature detected
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1552-unsecured-credentials](https://attack.mitre.org/techniques/T1552) 
## Goal{% #goal %}

Detects GitHub API activity matching hardcoded artefacts from the [Nord Stream](https://github.com/synacktiv/nord-stream/tree/main) secret extraction tool, including its fixed workflow filename, branch name, and browser user-agent string used on programmatic API calls.

## Strategy{% #strategy %}

This rule monitors GitHub API requests for static values hardcoded in Nord Stream's `constants.py`. Nord Stream is an open-source tool that extracts secrets from GitHub CI/CD pipelines by enumerating secrets, temporarily disabling branch protections, pushing a malicious workflow, and cleaning up all evidence. Because these values do not change between runs, their presence in logs is a reliable indicator that the tool was used and warrants immediate investigation.

## Triage and response{% #triage-and-response %}

- Examine recent API activity by `{{@github.actor}}` for other Nord Stream indicators such as secret enumeration, branch protection changes, or workflow run deletion.
- Identify which repositories `{{@github.actor}}` accessed and determine whether access to those repositories is expected for this identity.
- Review the token or credential used for the API calls and determine whether it has been compromised or is being used outside of its intended scope.
- Check whether any workflow runs were created on short-lived branches and whether their logs have been deleted.
- Determine whether branch protection rules were modified on any repository immediately preceding or following this activity.