Get in Touch
Please get in touch using the form below.
Stolen OAuth user tokens used to breach private GitHub/npm repositories
Overview
GitHub has detected an active attack campaign in which private data was accessed. It’s believed that stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, were used to access data from private repositories.
Impact
Some GitHub users had private repositories leaked. API keys or other secrets stored in these repositories could be abused for further malicious activity.
Vulnerability Detection
GitHub has notified affected customers.
Affected Products
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
Containment, Mitigations & Remediations
GitHub recommends that users periodically review the OAuth applications with access permissions and remove those that are no longer needed.
It may be worth checking audit logs and user account security logs for unexpected activity.
Indicators of Compromise
None listed.
Threat Landscape
Having access to private source code could allow the attacker to find and exploit vulnerabilities more easily. Any secrets included in the source code would also be useful for pivoting to other targets.
Mitre Methodologies
T1078.004 – Cloud Accounts
Further Information
SECURITY BULLETIN; Certain private customer repositories may have been accessed