GitHub says hackers used stolen OAuth tokens and break into dozens of organizations including npm
GitHub says hackers used stolen OAuth tokens and break into dozens of organizations including npm.
GitHub Chief Security Officer Mike Hanley revealed that attackers were using stolen OAuth user tokens to download data from private repositories.
There is evidence that attackers abused stolen OAuth user tokens to two third-party OAuth integrators, Heroku and Travis-CI, and then downloaded data from dozens of organizations, including npm.
The applications maintained by these integrators are used by GitHub users, including GitHub itself.
The attackers did not obtain these tokens by compromising GitHub or its systems, as GitHub does not store the tokens in the original usable format.
Applications and services use OAuth access tokens to authorize access to specific user data and communicate with each other without sharing actual credentials.
OAuth access tokens are one of the most common methods used to pass authorization from a single sign-on (SSO ) service to another application.
GitHub Security discovered on April 12 that an attacker used a leaked AWS API key to gain unauthorized access to GitHub’s npm production infrastructure.
This AWS API key was obtained by the attackers using a stolen OAuth token from a set of private npm repositories, but the attackers did not modify any GitHub packages or access any user account data, only downloaded the code of the affected private repositories.
This time the OAuth user token was leaked, and the affected services include: Heroku Dashboard and Travis CI, GitHub has revoked the access token associated with the affected application, and notified all known affected users and organizations by email.