GitHub Token Leak Exposes PHP Projects to Credential Theft
A recent format change in GitHub’s authentication tokens has triggered a critical security flaw, exposing thousands of PHP projects to potential credential theft. The issue, discovered in late April 2026, stems from GitHub’s rollout of a new, variable-length token format that includes hyphens a character not recognized by Composer’s validation system.
When Composer encountered the updated tokens, its regex validation failed, causing the tool to log the full, unredacted tokens in error logs instead of masking them. This vulnerability affects projects using Composer in GitHub Actions workflows, particularly those leveraging the widely adopted shivammathur/setup-php action, which automatically registers these tokens in Composer’s global authentication settings.
The risk varies by runner type: tokens on GitHub-hosted runners expire within 6 hours, while those on self-hosted runners remain valid for up to 24 hours. Since GitHub App tokens may carry broad permissions, exposed credentials could grant attackers significant access to repositories and CI/CD pipelines.
On May 13, 2026, GitHub temporarily reverted the token format change to halt further exposure, providing a brief window for developers to patch their systems. Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28 (for legacy systems) now include fixes that relax validation rules and prevent token leakage in logs. Packagist confirmed that packagist.org and Private Packagist were unaffected, with the latter already mitigating the issue.
The incident underscores the risks of parsing or validating secrets against rigid assumptions, as evolving platform standards can introduce unforeseen vulnerabilities. Developers are advised to audit recent GitHub Actions logs for exposed tokens and revoke any compromised credentials.
Source: https://cyberpress.org/github-token-leak-warning/
GitHub TPRM report: https://www.rankiteo.com/company/github
PHP Projects TPRM report: https://www.rankiteo.com/company/phpcomposer
"id": "phpgit1778747372",
"linkid": "phpcomposer, github",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands of PHP projects',
'industry': 'Technology/Software',
'name': 'GitHub',
'size': 'Large',
'type': 'Platform Provider'},
{'industry': 'Software Development',
'name': 'PHP Projects using Composer',
'type': 'Open-Source/Private Projects'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Developers advised to audit logs and revoke '
'compromised credentials.',
'data_breach': {'sensitivity_of_data': 'High (GitHub App tokens may carry '
'broad permissions)',
'type_of_data_compromised': 'Authentication tokens'},
'date_detected': '2026-04',
'date_publicly_disclosed': '2026-05-13',
'description': 'A recent format change in GitHub’s authentication tokens has '
'triggered a critical security flaw, exposing thousands of PHP '
'projects to potential credential theft. The issue stems from '
'GitHub’s rollout of a new, variable-length token format that '
'includes hyphens, a character not recognized by Composer’s '
'validation system. This caused Composer to log full, '
'unredacted tokens in error logs, affecting projects using '
'Composer in GitHub Actions workflows, particularly those '
'leveraging the *shivammathur/setup-php* action. Exposed '
'tokens could grant attackers access to repositories and CI/CD '
'pipelines.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'GitHub and affected projects',
'data_compromised': 'GitHub authentication tokens',
'operational_impact': 'Potential unauthorized access to '
'repositories and CI/CD pipelines',
'systems_affected': 'PHP projects using Composer in GitHub Actions '
'workflows'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Risks of parsing or validating secrets against rigid '
'assumptions, as evolving platform standards can introduce '
'unforeseen vulnerabilities.',
'post_incident_analysis': {'corrective_actions': 'GitHub reverted token '
'format change; Composer '
'updated to relax validation '
'rules and prevent token '
'leakage.',
'root_causes': 'GitHub’s new token format '
'(variable-length with hyphens) not '
'recognized by Composer’s '
'validation system, leading to '
'unredacted token logging.'},
'recommendations': 'Audit GitHub Actions logs for exposed tokens, revoke '
'compromised credentials, and update Composer to patched '
'versions.',
'references': [{'source': 'GitHub Incident Report'},
{'source': 'Composer Release Notes'}],
'response': {'containment_measures': 'GitHub temporarily reverted the token '
'format change',
'recovery_measures': 'Developers advised to audit logs and '
'revoke compromised credentials',
'remediation_measures': 'Composer versions 2.9.8, 2.2.28 LTS, '
'and 1.10.28 released with fixes to '
'relax validation rules and prevent '
'token leakage in logs'},
'title': 'GitHub Token Leak Exposes PHP Projects to Credential Theft',
'type': 'Data Exposure',
'vulnerability_exploited': 'Composer’s regex validation failure due to '
'GitHub’s new token format'}