Hackers Broke Into Other People’s Repositories Using Stolen OAuth Tokens

GitHub developers reported that unknown hackers used stolen OAuth tokens (issued by Heroku and Travis-CI) to download data from other people’s repositories. The first signs of the attack were noticed on April 12, 2022, and by that time the attackers had already stolen the data of dozens of organizations.

The attack was identified by GitHub Security specialists, who discovered unauthorized access to the GitHub npm infrastructure, as the attackers used a compromised AWS API key. This key was probably obtained by the hackers after exploring a number of private npm repositories using stolen OAuth tokens.

The company says the hackers certainly did not obtain the tokens by compromising GitHub or its systems, as these tokens are not stored by GitHub in usable formats at all.

According to GitHub, the list of affected OAuth applications includes:

1. Heroku Dashboard (ID: 145909);
2. Heroku Dashboard (ID: 628778);
3. Heroku Dashboard – Preview (ID: 313468);
4. Heroku Dashboard – Classic (ID: 363831);
5. Travis CI (ID: 9216).

The npm attack reportedly included unauthorized access to private repositories on GitHub.com and “potential access” to npm packages in the AWS S3 repository.

Although unknown attackers were able to steal data from the compromised repositories, GitHub believes that any of the packages was not changed, and the hackers did not gain access to user accounts or credentials during the incident.

By the way, we also talked about the fact that Attackers have stolen from Waydev GitHub and GitLab OAuth tokens.

You might also be interested in what GitHub says it takes years to fix vulnerabilities in some ecosystems.