An unknown malicious actor harvests data from private code repositories, using stolen OAuth user tokens issued to Heroku and Travic-CI.
As GitHub reported, last Tuesday, the threat actor managed to steal the data of “dozens of victims.”
“Applications maintained by these integrators were used by GitHub users, including GitHub itself,” said Mike Hanley, GitHub’s Chief Security Officer.
No stolen credentials
Hanley went on to explain that the attacker did not obtain these tokens following a breach at GitHub, which did not store the stolen tokens in their original usable format.
“Our analysis of other malicious actor behaviors suggests that actors may exploit the content of the uploaded private repository, to which the stolen OAuth token had access, in search of secrets that could be used to pivot to other infrastructures” , he added.
Hanley said affected OAuth apps include Heroku Dashboard (ID: 145909 and ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831), and Travis CI (ID: 9216).
The attacker was spotted on April 12 attempting to use a compromised AWS API key to access GitHub’s npm production framework. It is assumed that the attacker found the API key while downloading several private npm repositories.
“After discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised apps,” Hanley further explained.
Whoever was behind the attack managed to steal data from the affected repositories, but probably wasn’t able to modify the packages or obtain identity data or passwords of account.
“npm uses a completely separate infrastructure from GitHub.com; GitHub was unaffected by this initial attack,” Hanley said. “While the investigation continues, we have found no evidence that other private repositories belonging to GitHub have been cloned by the attacker using stolen third-party OAuth tokens.”