Token Exfiltration

Token exfiltration refers to the theft or unauthorized extraction of authentication credentials such as API keys, OAuth access tokens, JWTs, or CI/CD secrets. Once stolen, these tokens grant an attacker the same permissions as the legitimate holder—without needing a password.

In CI/CD environments, the GITHUB_TOKEN or similar pipeline secrets are high-value targets. An attacker who achieves code execution inside a workflow runner can read environment variables or the token store and exfiltrate credentials to an external server.

Preventive measures include scoping tokens to the minimum required permissions, setting short expiry windows, monitoring for anomalous API usage, and applying network egress controls on CI runners to block outbound data exfiltration.