GitHub security discovered that an attacker abused OAuth tokens issued to Heroku and Travis-CI and downloaded data from many organizations which also included npm. Heroku and Travis-CI were having OAuth applications that were used by many GitHub users even by GitHub itself.
GitHub stated that these OAuth tokens were not stored in GitHub in their original format and hence there is no possibility for compromise GitHub or its systems. This issue was found by GitHub on April 12th. On April 13th and 14th, GitHub shared their findings with Heroku and Travis-CI respectively for immediate action.
GitHub posted that these compromised OAuth tokens were used to download private repositories which is owned by several victim organizations. GitHub’s security analysis suggested that the attackers were using these OAuth tokens to see the repositories to which the tokens had access. They were trying to extract information that can be used to infiltrate the organizations.
The Affected OAuth applications from Heroku and Travis-CI are,
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
GitHub and npm
GitHub security came across unauthorized access to their npm production infrastructure. They noticed that the request was from an AWS API key that was compromised. The attacker might have got the API key when they were downloading private repositories through stolen OAuth tokens. GitHub immediately revoked the tokens that were used internally.
GitHub stated that “At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages. GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com”.
GitHub confirmed that there was no evidence of cloning GitHub-owned private repositories by the attacker.