Leaked Netlify personal access token — deploy + environment compromise
Netlify PATs grant full API access to the issuing user's teams and sites. Similar blast radius to Vercel tokens.
The next 60 seconds matter
The attacker reads site configs + environment variables, triggers deploys, modifies DNS + redirect configs, and exfiltrates build logs.
- Read environment variables
- Trigger malicious deploys
- Modify DNS / redirect configs
Rotation playbook
- app.netlify.com/user/applications → Revoke the leaked token
- Rotate every environment variable the token could have read
Prevent the next one
- Use OAuth apps for integrations where possible
- Team-scoped tokens over user-scoped tokens
Pattern we scan for
nfp_... or similar