{"UUID":"018edf27-f738-448d-8c46-947cd3b6d5b0","URL":"https://brew.sh/2018/08/05/security-incident-disclosure/","ArchiveURL":"https://web.archive.org/web/20260208114418/https://brew.sh/2018/08/05/security-incident-disclosure/","Title":"Homebrew GitHub token leak from Jenkins","StartTime":"2018-07-31T00:00:00Z","EndTime":"2018-07-31T06:00:00Z","Categories":["security"],"Keywords":["github","jenkins","security","token","leak","homebrew","git","access"],"Company":"Homebrew","Product":"Homebrew","SourcePublishedAt":"2018-08-05T00:00:00Z","SourceFetchedAt":"2026-05-04T17:43:44.472681Z","Summary":"A GitHub personal access token with recently elevated scopes was leaked from Homebrew’s Jenkins that allowed access to `git push` on several Homebrew repositories.","Description":"On July 31st, 2018, a security researcher identified that a GitHub personal access token, which had recently elevated scopes, was leaked from Homebrew's Jenkins instance. This token provided `git push` access to the `Homebrew/brew` and `Homebrew/homebrew-core` repositories.\n\nWithin a few hours of the report, the compromised credentials were revoked, replaced, and sanitized within Jenkins to prevent future exposure. GitHub Support confirmed that the token had not been used to perform any unauthorized pushes to the affected repositories during its period of elevated scopes. Consequently, no packages were compromised, and no action is required by users due to this incident.\n\nHomebrew implemented several remediation steps. The `Homebrew/brew` and `Homebrew/homebrew-core` repositories were updated to prevent non-administrators from pushing directly to master. Additionally, most other repositories in the Homebrew organization were configured to require CI checks from a pull request to pass before changes could be pushed to master.\n\nFurther actions included requesting all Homebrew maintainers to review and prune their personal access tokens and disable SMS fallback for 2FA. While the project already had 2FA and third-party application restrictions enabled for its GitHub organization, a recommendation to use GPG signing for `Homebrew/homebrew-core` was considered but ultimately rejected due to workflow concerns."}