T1213.003: Code Repositories
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or Unsecured Credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.[1][2]
**Note:** This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.
Analyst context for executives and security teams
Code repositories are high-value collection targets because they can contain proprietary source code and unsecured credentials. For leaders, this is not just an engineering issue: repository access can expose intellectual property, enable follow-on access with valid accounts, and give adversaries information useful for exploit development or software supply-chain activity.
Executive priority
Prioritize this where private SaaS repositories support critical products, customer-facing systems, regulated workloads, or build automation. Executives should ask whether repository access is governed like a critical business system: MFA enforced, accounts lifecycle-managed, audit logs retained and reviewed, and anomalous bulk access investigated quickly. This technique also supports compliance evidence around access control, auditability, and protection of sensitive development assets.
Technical view
ATT&CK defines this as a SaaS collection sub-technique under Data from Information Repositories. Since official detection text is not provided, defenders should validate coverage against the related detection strategy DET0263: bulk or anomalous access to private code repositories via SaaS platforms. SOC and IR teams should baseline normal repository access, cloning, downloads, API use, and administrative changes, then investigate deviations such as unusual volume, unusual repositories accessed, access from unexpected accounts, or suspicious timing. Relationship context links this behavior to named campaigns, groups, and software, including SolarWinds Compromise, APT41, LAPSUS$, Scattered Spider, Shai-Hulud, TruffleHog, and GlassWorm, which reinforces the need to monitor both human and automated repository access without assuming any specific actor is present.
Likely telemetry
- SaaS code repository audit logs
- Authentication and MFA events for repository users
- User, group, role, and permission change records
- Repository clone, download, archive, and API access events
- Git command activity where logged by the platform or enterprise controls
Detection direction
- Implement or validate DET0263-style analytics for bulk or anomalous access to private repositories.
- Tune detections around normal developer and CI/CD behavior to reduce false positives from legitimate large clones, migrations, releases, and build activity.
- Correlate repository access anomalies with authentication events, MFA failures or bypasses, new tokens, permission changes, and unusual account lifecycle events.
- Review for access to repositories outside a user’s normal project scope, especially where source code or credentials could enable follow-on Valid Accounts activity.
- Distinguish this collection behavior from public-code reconnaissance covered by ATT&CK T1593.003; this object concerns access to victim networks or private repositories.
Mitigation priorities
- Enforce multi-factor authentication for repository access, especially private repositories and administrative functions.
- Apply user account management and least privilege to developers, contractors, service accounts, and CI/CD integrations.
- Audit repository activity and configuration regularly, including access grants, group membership, token use, and unusual data access patterns.
- Train users and administrators to recognize and report social engineering or suspicious repository access requests, consistent with the User Training mitigation relationship.
- Review source code and repository history for unsecured credentials where feasible, and handle any findings through established credential response processes.
Analyst notes and limits
The strongest defensive value is in treating code repositories as sensitive SaaS information repositories, not merely developer tooling. Repository monitoring should be integrated with identity, SaaS security, SOC triage, and incident response workflows. ATT&CK relationships show this technique has relevance across collection, credential exposure, valid-account follow-on risk, and software supply-chain concerns, but local telemetry is required to determine exposure and coverage.
MITRE does not provide official detection text for this object. The ATT&CK platform is SaaS, and conclusions should not be extended to unsupported platforms for this sub-technique without local evidence. Relationship context supports relevance to specific campaigns, groups, software, and mitigations, but it does not prove current activity in any environment or guarantee that the listed mitigations fully prevent repository collection.
Code Repositories
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or Unsecured Credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.[1][2]
**Note:** This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1213 | Data from Information Repositories | This object subtechnique of Data from Information Repositories. |
Groups, software, and campaigns
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
G1015: Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. [1] [2] The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. [2] Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. [3] [4] [5] Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365. [6]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
S9010: GlassWorm
GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.[1][2][3] GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.[4][1][5] GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.[6][1] GlassWorm was first reported in October 2025.[6][1][3]
S9008: Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
S9009: TruffleHog
TruffleHog is an open-source secrets-discovery tool that is used to search for credentials, API keys, and encryption keys across a variety of data sources and environments.[1][2] TruffleHog has the ability to discover credentials and secrets stored in code repositories, git history, CI/CD pipelines, among other common storage locations to include filesystems and cloud storage buckets.[1][3][2] TruffleHog was first released by its author in 2016.[2]
C0024: SolarWinds Compromise
The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 84c81a5efcd8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Wired Uber Breach
Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021.
Open source URL -
[2]
Krebs Adobe
Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021.
Open source URL -
[3]
mitre-attack T1213.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.