Attacker breached dozens of orgs using stolen OAuth tokens

GitHub unveiled now that an attacker is using stolen OAuth person tokens (issued to Heroku and Travis-CI) to download details from non-public repositories.

Considering the fact that this marketing campaign was initially spotted on April 12, 2022, the risk actor has by now accessed and stolen info from dozens of victim organizations making use of Heroku and Travis-CI-managed OAuth apps, together with npm.

“The applications taken care of by these integrators were employed by GitHub buyers, together with GitHub itself,” uncovered right now Mike Hanley, Chief Security Officer (CSO) at GitHub.

“We do not believe the attacker obtained these tokens by using a compromise of GitHub or its techniques, since the tokens in concern are not stored by GitHub in their first, usable formats.

“Our evaluation of other habits by the risk actor implies that the actors might be mining the downloaded non-public repository contents, to which the stolen OAuth token had access, for secrets and techniques that could be made use of to pivot into other infrastructure.”

According to Hanley the listing of impacted OAuth applications contains:

• Heroku Dashboard (ID: 145909)
• Heroku Dashboard (ID: 628778)
• Heroku Dashboard – Preview (ID: 313468)
• Heroku Dashboard – Common (ID: 363831)
• Travis CI (ID: 9216)

GitHub Stability recognized the unauthorized accessibility to GitHub’s npm output infrastructure on April 12 after the attacker made use of a compromised AWS API crucial.

The attacker probable attained the API key just after downloading a number of personal npm repositories employing stolen OAuth tokens.

“On exploring the broader theft of 3rd-celebration OAuth tokens not saved by GitHub or npm on the evening of April 13, we immediately took motion to guard GitHub and npm by revoking tokens associated with GitHub and npm’s inner use of these compromised purposes,” Hanley additional.

The impact on the npm business includes unauthorized obtain to private GitHub.com repositories and “possible obtain” to npm offers on AWS S3 storage.

GitHub has uncovered evidence that an attacker abused stolen OAuth person tokens issued to two 3rd-party OAuth integrators, Heroku and Travis-CI. Read extra about the impact to GitHub, npm, and our buyers. https://t.co/eB7IJfJfh1

— GitHub Safety (@GitHubSecurity) April 15, 2022

GitHub’s personal repositories not impacted

Although the attacker was in a position to steal info from the compromised repositories, GitHub thinks that none of the packages have been modified and no user account info or qualifications have been accessed in the incident.

“npm utilizes absolutely individual infrastructure from GitHub.com GitHub was not affected in this primary attack,” Hanley explained.

“Nevertheless investigation carries on, we have uncovered no proof that other GitHub-owned private repos were being cloned by the attacker utilizing stolen third-get together OAuth tokens.”

GitHub is performing on notifying all impacted end users and corporations as they are discovered with added information and facts.

You need to evaluate your organization’s audit logs and the person account stability logs for anomalous, possible malicious action.

You can discover far more data on how GitHub responded to protect its consumers and what customers and corporations want to know in the security alert posted on Friday.