Earlier today GitHub that a hacker is trying to use stolen OAuth user tokens (issued to Heroku and Travis-CI) to download different sorts of data from various private repositories.
Since this breach was first spotted a few days ago i.e. on April 12, 2022, the hacker has already accessed and stolen data not only one or two but from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.
“The applications maintained by these integrators were used by GitHub users, including GitHub itself,” statement issued today by Mike Hanley, Chief Security Officer (CSO) at GitHub.
“We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats.”
“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.”
According to the CSO of the company the list of impacted OAuth applications includes:
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
GitHub Security while their routine checks identified the unauthorized access to GitHub’s npm production infrastructure on April 12 after the hacker used a compromised AWS API key.
The attacker likely was successful in obtaining the API key after downloading multiple private npm repositories using stolen OAuth tokens.
“Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications,” Hanley added.
As per the company the impact on the npm organization includes unauthorized access to the private GitHub.com repositories and “potential access” to some of the npm packages on AWS S3 storage.
GitHub’s private repositories not affected
While the hacker was only able to steal data from the compromised repositories, but GitHub believes that none of the packages were modified and none of the user account data or credentials were in any way accessed in the breach.
“npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack,” Hanley said.
“Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”
GitHub is working on notifying all impacted organizations and individuals as identified with additional information gathered by GITHUB.