An unknown threat actor is harvesting data from private code repositories, with the help of stolen OAuth user tokens issued to Heroku and Travic-CI.
As reported by GitHub, by last Tuesday, the threat actor managed to steal data (opens in new tab) from “dozens of victims".
"The applications maintained by these integrators were used by GitHub users, including GitHub itself," said Mike Hanley, Chief Security Officer at GitHub.
No credentials stolen
Hanley went on to explain that the attacker did not obtain these tokens as a result of a breach at GitHub, which did not store the stolen tokens in their original, usable format.
"Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure," he added.
Hanley said affected OAuth applications include Heroku Dashboard (ID: 145909 and ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831), and Travis CI (ID: 9216).
The attacker was spotted on April 12, when they tried to use a compromised AWS API key to access GitHub’s npm production infrastructure. It’s speculated that the attacker found the API key when downloading multiple private npm repositories.
> GitHub is making it easier to manage all your company's accounts (opens in new tab)
> Searching through your code just got easier in GitHub (opens in new tab)
> All GitHub features are now free for everyone (opens in new tab)
"Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications," Hanley further explained.
Whoever was behind the attack managed to steal data (opens in new tab) from affected repositories, but most likely was not able to modify the packages, or obtain identity (opens in new tab) data, or account passwords.
"npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack," Hanley said. "Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens."
- Want to avoid such a disaster? Check out the best disaster recovery services here (opens in new tab)
Via BleepingComputer (opens in new tab)