[xander158]

You're assuming that the breach was done through the UI and not for example an oauth token or ssh key that was stolen from a developer's machine and used to download the source code by the attacker.

[Nextgrid]

Another comment mentions GitHub themselves detecting the breach - in this case it's unlikely to be done via a compromised developer's laptop as the access would otherwise look normal and wouldn't trigger GH's security alerts.

[Aeolun]

Depends, if someone suddenly starts pulling down every single repository in the org, that should ring some bells.

[grogenaut]

Meh... I do this every 6-8 months as a principal engineer. I've had many legit use cases.: Understanding our overall dependency tree, validating code coverage assumptions, seeing which projects built still, testing out prototype profiler reports, inspecting the code to see how hard adding x pattern would be, quantifying code change patterns over the pandemic, seeing which uses of the AWS sdk or internal clients were instrumented with metrics, seeing what pct would build under make/go build/bazel/etc.

Anyway many legit reasons. Should it set off an alarm? Probably. Can you say before you do it? For sure!

[trallnag]

Depends on the number of repositories I would assume. There are orgs with thousands of them.

[grogenaut]

Last I downloaded it was around 3600 of them.

[waspight]

I think that they have alerts for when an access token is found in the wild, for instance. So it is quite possible.

[Sankozi]

Why would it always look normal? Different IP, different usage patterns could trigger the alert.

[noselasd]

It would look abnormal if it was accessed from a dubious geolocation compared to normal access, which are things github can track and detect.