We got hit. Cleaned up but still trying to find the origin. Assuming a VS Code plugin at this point that must have been poisoned. Have you found anything?You can see if your account is leaking by searching for any branches of that [REDACTED] name:for repo in $(gh repo list YOUR_ACCOUNT --json name -q &#x27;.[].name&#x27;); do if gh api repos&#x2F;YOUR_ACCOUNT&#x2F;$repo&#x2F;branches&#x2F;REDACTED &amp;&gt;&#x2F;dev&#x2F;null; then echo &quot; Found &#x27;REDACTED&#x27; in: $repo&quot; fi done

Redacted names are shai-hulud, everybody knows by now haha

I redacted the names to avoid spreading and teaching people how to get other people&#x27;s secrets. I am in contact with Github and will update here once they solve the issue.

A lot of repos are being under attack where branches are being created under the name [REDACTED] to trigger GH actions and send all secrets to a webhook website. This is new and here is an example:[REDACTED]Just search on github and you will see planty repos.

GitHub Attack – branches sending secrets to webhook