Get in Touch
Stolen OAuth user tokens used to breach private GitHub/npm repositories
GitHub has detected an active attack campaign in which private data was accessed. It’s believed that stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, were used to access data from private repositories.
Some GitHub users had private repositories leaked. API keys or other secrets stored in these repositories could be abused for further malicious activity.
GitHub has notified affected customers.
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
Containment, Mitigations & Remediations
GitHub recommends that users periodically review the OAuth applications with access permissions and remove those that are no longer needed.
It may be worth checking audit logs and user account security logs for unexpected activity.
Indicators of Compromise
Having access to private source code could allow the attacker to find and exploit vulnerabilities more easily. Any secrets included in the source code would also be useful for pivoting to other targets.
T1078.004 – Cloud Accounts
Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators
SECURITY BULLETIN; Certain private customer repositories may have been accessed