Code to Cloud Attacks: From Github PAT to Cloud Control Plane

Wiz documents active attacks in which compromised GitHub Personal Access Tokens are used to enumerate Actions secret names via API code search, create malicious workflows to exfiltrate or reuse secrets (including double-Base64 and webhook exfiltration), generate cloud credentials, and move laterally into cloud provider environments; the report highlights audit-log gaps, defense-evasion by deleting workflow artifacts, supply-chain implications, and recommends real-time log streaming, least-privilege secrets management, and secret scanning/remediation.