On July 31st, 2018, a security researcher identified that a GitHub personal access token, which had recently elevated scopes, was leaked from Homebrew’s Jenkins instance. This token provided git push access to the Homebrew/brew and Homebrew/homebrew-core repositories.

Within a few hours of the report, the compromised credentials were revoked, replaced, and sanitized within Jenkins to prevent future exposure. GitHub Support confirmed that the token had not been used to perform any unauthorized pushes to the affected repositories during its period of elevated scopes. Consequently, no packages were compromised, and no action is required by users due to this incident.

Homebrew implemented several remediation steps. The Homebrew/brew and Homebrew/homebrew-core repositories were updated to prevent non-administrators from pushing directly to master. Additionally, most other repositories in the Homebrew organization were configured to require CI checks from a pull request to pass before changes could be pushed to master.

Further actions included requesting all Homebrew maintainers to review and prune their personal access tokens and disable SMS fallback for 2FA. While the project already had 2FA and third-party application restrictions enabled for its GitHub organization, a recommendation to use GPG signing for Homebrew/homebrew-core was considered but ultimately rejected due to workflow concerns.