GitHub has disclosed that it is actively investigating unauthorized access to GitHub-owned internal repositories. This is not a third-party breach report — GitHub itself is the affected party.
For product engineers who build on GitHub's infrastructure — Actions, Apps, webhooks, the REST and GraphQL APIs — this matters. When the platform you depend on is investigating a security incident involving its own internal repositories, the blast radius is unknown until the investigation concludes.
The only confirmed detail GitHub has shared so far: if any customer impact is discovered, customers will be notified through established incident response and notification channels.
That sentence is doing a lot of work. It tells you the investigation is ongoing. It tells you impact has not yet been confirmed or ruled out. And it tells you GitHub is treating this through its standard incident response process — meaning formal notifications will follow if warranted.
Don't wait for a notification to start thinking about your exposure. Here is the concrete action:
Audit your GitHub-connected credentials and integrations today. Review any OAuth tokens, personal access tokens, GitHub App private keys, and deploy keys that have access to your repositories or CI/CD pipelines. If you have not rotated them recently, rotate them now. This is good hygiene regardless of this specific incident — but an active investigation on GitHub's infrastructure is the forcing function to stop deferring it.
Also check your notification settings. GitHub says it will use established incident response and notification channels. Make sure the email addresses tied to your GitHub organization are monitored and that security alerts are not routing to an inbox nobody reads.
The investigation is live. The scope is not yet public. Watch the GitHub Blog for updates and treat any follow-up notification from GitHub as high priority.