TIARAS - T1593.003: Code Repositories

MITRE ATT&CK Technique

Reconnaissance T1593.003

Description

Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git. Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). **Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories.

Supported Platforms

PRE

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2022-08-09T13:01:43.314Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may search public code repositories for '
                'information about victims that can be used during targeting. '
                'Victims may store code in repositories on various third-party '
                'websites such as GitHub, GitLab, SourceForge, and BitBucket. '
                'Users typically interact with code repositories through a web '
                'application or command-line utilities such as git.  \n'
                '\n'
                'Adversaries may search various public code repositories for '
                'various information about a victim. Public code repositories '
                'can often be a source of various general information about '
                'victims, such as commonly used programming languages and '
                'libraries as well as the names of employees. Adversaries may '
                'also identify more sensitive data, including accidentally '
                'leaked credentials or API keys.(Citation: GitHub Cloud '
                'Service Credentials) Information from these sources may '
                'reveal opportunities for other forms of reconnaissance (ex: '
                '[Phishing for '
                'Information](https://attack.mitre.org/techniques/T1598)), '
                'establishing operational resources (ex: [Compromise '
                'Accounts](https://attack.mitre.org/techniques/T1586) or '
                '[Compromise '
                'Infrastructure](https://attack.mitre.org/techniques/T1584)), '
                'and/or initial access (ex: [Valid '
                'Accounts](https://attack.mitre.org/techniques/T1078) or '
                '[Phishing](https://attack.mitre.org/techniques/T1566)). \n'
                '\n'
                '**Note:** This is distinct from [Code '
                'Repositories](https://attack.mitre.org/techniques/T1213/003), '
                'which focuses on '
                '[Collection](https://attack.mitre.org/tactics/TA0009) from '
                'private and internally hosted code repositories. ',
 'external_references': [{'external_id': 'T1593.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1593/003'},
                         {'description': 'Runa A. Sandvik. (2014, January 14). '
                                         'Attackers Scrape GitHub For Cloud '
                                         'Service Credentials, Hijack Account '
                                         'To Mine Virtual Currency. Retrieved '
                                         'August 9, 2022.',
                          'source_name': 'GitHub Cloud Service Credentials',
                          'url': 'https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/'}],
 'id': 'attack-pattern--70910fbd-58dc-4c1c-8c48-814d11fcd022',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'reconnaissance'}],
 'modified': '2025-10-24T17:48:56.790Z',
 'name': 'Code Repositories',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Matt Burrough, @mattburrough, Microsoft',
                          'Vinayak Wadhwa, SAFE Security'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.0'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (3)

HAFNIUM
High

LAPSUS$
High

Contagious Interview
High

Back to TTPs

Dashboard About