GitHub has investigated a security incident that uncovered abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. The applications maintained by these integrators were used by GitHub users, including GitHub itself.
We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats. Following an immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14;
Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps.
Known-affected OAuth applications as of April 15, 2022:
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)
The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. This key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications. Upon discovering the broader theft of third-party OAuth tokens they were revoked immediately.
The attacker did not modify any packages or gain access to any user account data or credentials. GitHub was not affected by this original attack. Though the investigation continues, we have found no evidence that other GitHub-owned private repositories were cloned by the attacker using stolen third-party OAuth tokens.
GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and the next steps to assist in their own response within the next 72 hours.
Customers who are directly contacted by GitHub regarding this issue are welcome to contact us according to the directions in the notification you received.