⚠ GitHub PAT in .git/config — long-lived classic PATs leak via remote URL
Severity: high Lesson date: 2026-06-19 Status: monitoring (rotation in progress, new PAT active, old letting expire 2026-06-24)
What happened
A long-lived classic GitHub PAT (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) was embedded in the remote URL of a .git/config file. The leak vector:
git remote -vshowed the raw token in the URL:https://<TOKEN>@github.com/...- No credential helper configured
- No
url.<...>.insteadOfrewrite — direct URL injection .git/configis readable by anyone with sandbox read access
The token was visible on GitHub from at least 2026-06-19 to 2026-06-22 (3+ days). During that window, anyone with the URL could have made authenticated API calls as the user.
The rule
Never use a long-lived classic PAT in a .git/config remote URL.
- Use
gh auth login(OAuth, refresh tokens, scoped per command) - Use Git Credential Manager (system keychain)
- Use a fine-grained PAT with a 90-day max expiry
- If a PAT must be in a URL (rare), use a fine-grained PAT with
expires: 2026-09-22T00:00:00Z(90 days from today), not a classicghp_*token
If you find a ghp_* token in .git/config: treat the token as already-leaked. Revoke it. Mint a replacement. Strip the token from local clones. Update any tooling that referenced the old token.
How to check before acting
- [ ]
git remote -v— does any URL containghp_*or a long token string? - [ ]
.git/configpermission — who can read this file? Is the sandbox shared? - [ ]
git config --list | grep credential— is a credential helper configured? - [ ] GitHub PAT audit log — https://github.com/settings/tokens — has the token been used by anything other than you?
If you already did the wrong thing
- Revoke the PAT at https://github.com/settings/tokens immediately
- Mint a replacement — fine-grained, 90-day max, minimal scopes
- Strip the token from local clones:
``bash git remote set-url origin https://github.com/<owner>/<repo>.git ``
- Audit recent activity — check the token's audit log for any pushes/queries you didn't make
- Update the docHub lessons log with the new finding
Cross-references
- D-058 — PAT rotation (the decision that triggered the rotation)
- Report: 2026-06-22-pat-rotation-plan — full rotation procedure
- Report: 2026-06-22-dup-cleanup — adjacent incident (the same leaked PAT was used in the dup cleanup, complicating things)