GitHub hacked, npm data stolen after 0auth tokens stolen in upstream breach

Written by Ed Targett Ed Targett is the founder of The Stack. He has served as editor of Tech Monitor, Computer Business Review, and Roubini Global Economics.

Networking
 — 
1
 Min read
 — 
May 19, 2022

GitHub hacked after Heroku, Travis-CI 0auth tokens stolen in upstream attack. More updates with fresh comment from GitHub and Heroku in our April 28 article here. Follow on LinkedIn for more also.

An unknown attacker breached GitHub to download data from scores of private code repositories including that of npm — the world’s largest software registry with 75 billion downloads a month — the company has confirmed in a hugely troubling cybersecurity incident. GitHub says it and other affected companies were compromised after the attacker stole authentication tokens from two other upstream software firms.

GitHub Security confirmed the breach on April 18, saying it spotted unauthorised access to its own npm production infrastructure using a compromised AWS API key on April 12 as part of the evolving incident. (GitHub operates numerous microservices and databases underpinning production infrastructure for the npm registry; a JavaScript code hub and the largest software registry in the world, which it bought in 2020.)

GitHub said it saw “unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage… we assess that the attacker did not modify any packages or gain access to any user account data or credentials.”

GitHub hacked after Heroku, Travis-CI 0auth tokens accessed

The attackers appear to be using 0Auth — an industry standard authorisation protocol — tokens stolen from software providers Heroku and Travis-CI to launch the attacks, GitHub said: “We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations… Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.”

0Auth tokens from the following applications were abused, it said.

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Troublingly, it appears that both Heroku and Travis-CI were oblivious to the breach until GitHub notified them, with both saying they had taken action after GitHub informed them of the breach.

Read More: 

Like the article? Spread the word