Hackers breached dozens of organizations using stolen OAuth user tokens issued to third-party OAuth integrators Heroku and Travis-CI, cloud-based repository hosting service GitHub revealed.
“On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. The applications maintained by these integrators were used by GitHub users, including GitHub itself,” GitHub's Mike Hanley said in a blog post.
The company said it doesn’t believe that the malicious actors obtained tokens through compromise of GitHub or its systems.
“Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure,” GitHub said, adding that it informed Heroku and Travis-CI on April 13 and 14.
The affected OAuth applications include Heroku Dashboard (ID: 145909), Heroku Dashboard (ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831),Travis CI (ID: 9216).
The breach came to light on April 12 when the GitHub security team discovered that an unknown party gained access to GitHub’s npm production infrastructure using a compromised AWS API key. It appears that the threat actors obtained the API key while downloading a set of private npm repositories using a stolen OAuth token from one of the impacted applications.
Following the discovery the company revoked tokens associated with GitHub and npm’s internal use of the compromised applications. GitHub said it found no evidence that the attackers altered any packages or gained access to any user account data or credentials.
“We are still working to understand whether the attacker viewed or downloaded private packages. npm uses completely separate infrastructure from GitHub.com,” the company said, adding that the attacks may be ongoing. “GitHub was not affected in this original attack. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”