According to GitHub, malicious threat actors utilised stolen OAuth user tokens published to Travis-CI and Heroku to download data from repositories. Since being first spotted last week, the hackers could have already breached and stolen numerous data from targeted organisations that use Travis-CI and Heroku-maintained OAuth apps.
A security officer at GitHub said that their users used the applications maintained by these entities and added that threat actors could not acquire the stolen tokens from their systems since GitHub does not store the tokens in their original and usable formats.
Their analysis also revealed the threat actors’ behaviour, suggesting that the group could be mining the downloaded private repository contents. The OAuth token had access to confidential files that any intruder could utilise to tamper with other infrastructure.
Based on the published report, the affected OAuth tokens or applications are the Heroku Dashboard (ID: 145909), Heroku Dashboard (ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831), and Travis CI (ID: 9216).
GitHub Security then recently spotted unwanted access to GitHub’s npm production infrastructure after an attacker utilised a compromised AWS API key. The threat actor seems to have acquired the API key after downloading several private npm repositories by exploiting stolen OAuth tokens.
The effects on the npm organisation could be numerous unauthorised access to private GitHub[.]com repositories or potential breach to npm packages on AWS S3 storage.
Although the adversary could exfiltrate data from impacted repositories, GitHub claims that the threat actors compromised no packages, and no individual account data or credentials were breached.
GitHub is working hard in disseminating information to all affected users and firms as they are identified with additional details of the breach. Users should review their organisation’s audit logs and the user account security logs for a possible hostile activity to mitigate any probability of being attacked by these threat actors.