Hackers Stole the Credentials of 100,000 npm Users

GitHub representatives say they took a closer look at a recent attack in which unknown parties used stolen OAuth tokens (issued by Heroku and Travis-CI) to download data from third-party repositories and found that the attackers stole credentials from approximately 100,000 npm user accounts.

Let me remind you that this attack became known back in April of this year, and it was noticed only when the hackers had already stolen the data of dozens of organizations. The attack was identified by GitHub Security specialists, who discovered unauthorized access to the GitHub npm infrastructure when attackers used a compromised AWS API key.

This key was probably obtained by the hackers after exploring a number of private npm repositories using stolen tokens.

Then the company assured that the hackers definitely did not get the tokens by compromising GitHub or its systems, since these tokens are not stored by GitHub in usable formats at all.

Following the discovery of the GitHub incident, Travis CI and Heroku revoked all OAuth tokens to block further attack attempts.

As a GitHub investigation has now revealed, the attackers stole the following data from the npm cloud storage:

1. about 100,000 usernames, password hashes and email addresses from the archive for 2015 (skimdb.npmjs.com database backup);
2. a set of CSV files that includes all manifests and metadata of private packages as of April 7, 2021;
3. names and semVer of published versions of all private packages as of April 10, 2022;
4. private packages of two unnamed organizations.

The developers write that although the mentioned password hashes were generated using weak algorithms (PBKDF2 or SHA1 with salt) and could be hacked, account hijacking attempts should be automatically blocked by email verification, which is active for all accounts since March 1, 2022, if those don’t use 2FA.

It is also emphasized that after analyzing the logs and checking the hashes for all versions of the npm GitHub packages, the experts concluded that “the attackers did not modify any published packages and did not publish new versions of existing packages.”