An unknown threat actor is harvesting data from private code repositories, with the help of stolen OAuth user tokens issued to Heroku and Travic-CI.
As reported by GitHub, by last Tuesday, the threat actor managed to steal data from “dozens of victims".
"The applications maintained by these integrators were used by GitHub users, including GitHub itself," said Mike Hanley, Chief Security Officer at GitHub.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
No credentials stolen
Hanley went on to explain that the attacker did not obtain these tokens as a result of a breach at GitHub, which did not store the stolen tokens in their original, usable format.
"Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure," he added.
Hanley said affected OAuth applications include Heroku Dashboard (ID: 145909 and ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831), and Travis CI (ID: 9216).
The attacker was spotted on April 12, when they tried to use a compromised AWS API key to access GitHub’s npm production infrastructure. It’s speculated that the attacker found the API key when downloading multiple private npm repositories.
"Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications," Hanley further explained.
"npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack," Hanley said. "Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.