An attacker used stolen OAuth tokens taken from two OAuth integrators to view and download private GitHub repositories that belong to dozens of separate organizations in a recent campaign, and GitHub security officials say there is evidence that the attackers may also be digging into the repositories for data that could be used in other attacks.
The actors abused tokens from applications maintained by Heroku and Travis-CI, and GitHub notified the two companies of the incident on April 13 and 14, after discovering the campaign on April 12. The downloaded repositories included some from npm, the package manager that is owned by GitHub. The attackers used a stole AWS API key to access the npm infrastructure, which alerted GitHub security to the intrusion.
“Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications,” Mike Hanley, CSO of GitHub, said in a post.
“We believe that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage.”
Hanley said that there is no evidence that the attackers modified any of the packages or gain access to user data or credentials. Also, because npm maintains separate infrastructure from the broader GitHub organization, GitHub was not directly affected by the intrusion. GitHub is sending notification emails to any customers that it knows to be affected by the intrusion and it has worked with both Heroku and Travis-CI on their responses.
“Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users,” Hanley said.
“Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”
Hanley said that any customer organizations that do not receive an email notification can assume they’re not affected by the intrusion, but recommends that customers periodically look at the list of OAuth applications that are authorized and remove any that are no longer needed.