GitHub Attacker Uses Stolen OAuth User Tokens to Breach Dozens of Organizations
Reading Time: 2 minutes

Today GitHub revealed its attackers used stolen OAuth user tokens to download data from private repositories. The stolen OAuth user tokens were issued to Heroku and Travis-CI.

The campaign was spotted first on April 12, 2022, by then the hackers had already accessed and stolen data from dozens of organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.

Mike Hanley, Chief Security Officer (CSO) at GitHub explained, “The applications maintained by these integrators were used by GitHub users, including GitHub itself. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.”

The impacted OAuth applications mentioned by Hanley include 

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

On April 12, GitHub security identified unauthorized access to GitHub’s npm production infrastructure after a compromised AWS API key was used by the attacker. The attacker may have obtained the API key by downloading multiple private npm repositories using stolen OAuth tokens.

Hanley further explained, “Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications.”

The incident has impacted the npm organization, this includes unauthorized access to private GitHub.com repositories and “potential access” to npm packages on AWS S3 storage.

According to GitHub, no user account data or credentials were accessed in the incident, though the attacker managed to steal data from compromised repositories. Further investigations is going on, though right now there is no evidence of any other GitHub-owned private repos being cloned by an attacker using stolen third-party OAuth tokens.

All the impacted users and organizations will be notified about the incident with additional information. You can review your organization’s audit logs and the user account security logs for anomalous, potential malicious activity.

GitHub has advised all its users and organization to check the security alert published on Friday.

Related Articles:
GitHub Copilot – AI Assistants Help Developers Write 30% of their code
GitHub Revoked Weak SSH Authentication Keys Generated by a Popular Git Client
GitHub : Long Awaited Features for Desktop and Mobile Apps Released