Home / Threat Intelligence bulletins / Stolen OAuth user tokens used to breach private GitHub/npm repositories


GitHub has detected an active attack campaign in which private data was accessed. It’s believed that stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, were used to access data from private repositories.


Some GitHub users had private repositories leaked. API keys or other secrets stored in these repositories could be abused for further malicious activity.

Vulnerability Detection

GitHub has notified affected customers.

Affected Products

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Containment, Mitigations & Remediations

GitHub recommends that users periodically review the OAuth applications with access permissions and remove those that are no longer needed.

It may be worth checking audit logs and user account security logs for unexpected activity.

Indicators of Compromise

None listed.

Threat Landscape

Having access to private source code could allow the attacker to find and exploit vulnerabilities more easily. Any secrets included in the source code would also be useful for pivoting to other targets.

Mitre Methodologies

T1078.004 – Cloud Accounts

Further Information

Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators

SECURITY BULLETIN; Certain private customer repositories may have been accessed

Heroku Security Notification