Uncovering Compromised Git Admins: How to Detect actors like theCom

**Executive Summary:** This report describes operations by theCom, an opportunistic threat actor group that targets IT helpdesk and administrative GitHub/GitLab accounts via social engineering to obtain persistent access (personal access tokens, added collaborators), disable protections (MFA/SAML), and exfiltrate repositories or credentials to pivot into cloud and infrastructure; it provides detection signals from GitHub audit logs, recommended mitigations (admin approval of PATs, restrict classic tokens, enforce MFA/SAML), and ASTRO detection rules to find suspicious activity such as mass repository retrieval and configuration changes.