Skip to content

Search the site

GitHub hacked, npm data stolen after 0auth tokens stolen in upstream breach

GitHub hacked after Heroku, Travis-CI 0auth tokens stolen in upstream attack

GitHub hacked after Heroku, Travis-CI 0auth tokens stolen in upstream attack. More updates with fresh comment from GitHub and Heroku in our April 28 article here. Follow on LinkedIn for more also.

An unknown attacker breached GitHub to download data from scores of private code repositories including that of npm -- the world's largest software registry with 75 billion downloads a month -- the company has confirmed in a hugely troubling cybersecurity incident. GitHub says it and other affected companies were compromised after the attacker stole authentication tokens from two other upstream software firms.

GitHub Security confirmed the breach on April 18, saying it spotted unauthorised access to its own npm production infrastructure using a compromised AWS API key on April 12 as part of the evolving incident. (GitHub operates numerous microservices and databases underpinning production infrastructure for the npm registry; a JavaScript code hub and the largest software registry in the world, which it bought in 2020.)

GitHub said it saw "unauthorized access to, and downloading of, the private repositories in the npm organization on and potential access to the npm packages as they exist in AWS S3 storage... we assess that the attacker did not modify any packages or gain access to any user account data or credentials."

GitHub hacked after Heroku, Travis-CI 0auth tokens accessed

The attackers appear to be using 0Auth -- an industry standard authorisation protocol -- tokens stolen from software providers Heroku and Travis-CI to launch the attacks, GitHub said: "We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations... Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure."

0Auth tokens from the following applications were abused, it said.

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Troublingly, it appears that both Heroku and Travis-CI were oblivious to the breach until GitHub notified them, with both saying they had taken action after GitHub informed them of the breach.

GitHub's statement.

Heroku's statement.

Travis-CI's statement.

Casey Ellis, CTO of Bugcrowd noted in an emailed comment to The Stack: "The cloud has brought us a huge range of security improvements, but the convenience has a hidden downside - The ease of use also means it’s easier to make a security oversight, like failing to audit, monitor, or expire Oauth keys. When Oauth keys like the ones used in this attack can’t be stolen from a database or poorly-permissioned repository they are often gleaned from the client-side using malware or browser-based attacks, then collected and aggregated by Initial Access Brokers, and on-sold to those who need to use them for a specific attack. I suspect that is what has happened here, and the important lesson is that this type of layered-threat is a present and active risk for anything hosted in the cloud.”

Join your peers following The Stack on LinkedIn

Heroku is used by developers to deploy, run and manage cloud applications. It is owned by Salesforce. Travis CI is a continuous integration, continuous development (CI/CD) platform used by over 300,000 projects including Ruby on Rails, Ember.js, OpenSSL, Puppet, and Logstash. Heroku said it had effectively temporarily killed off its GitHub integration in a bid to reduce the attack's impact, telling users that "this will prevent you from deploying your apps from GitHub through the Heroku dashboard or via Heroku automation."

GitHub added that it has contacted the companies whose private repos were accessed.

The company added in an April 18 update to its blog: "We are still working to understand whether the attacker viewed or downloaded private [npm] packages. npm uses completely separate infrastructure from; GitHub was not affected in this original attack. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens."

Heroku, Travis-CI respond, bolt stable door...

Heroku added in a carefully worded statement: "On April 13, 2022, Salesforce Security was notified by GitHub that a subset of Heroku’s GitHub private repositories, including some source code, was downloaded by a threat actor on April 9, 2022. Based on Salesforce’s initial investigation, it appears that unauthorized access to Heroku's GitHub account was the result of a compromised OAuth token. Salesforce immediately disabled the compromised user’s OAuth tokens and disabled the compromised user’s GitHub account... GitHub reported that the threat actor was enumerating GitHub customer accounts using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub. Based on the information GitHub shared with us, we are investigating how the threat actor gained access to customer OAuth tokens. The compromised tokens could provide the threat actor access to customer GitHub repos, but not customer Heroku accounts. With the access to customer OAuth tokens, the threat actor may have read and write access to customer GitHub repositories connected to Heroku.

Travis CI said: "On April 15, 2022, Travis CI personnel were informed that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token. Immediately upon learning this information, Travis CI immediately revoked all authorization keys and tokens preventing any further access to our systems. No customer data was exposed and no further access was possible. Upon further review that same day, Travis CI personnel learned that the hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application. This key does not provide access to any Travis CI customer repositories or any Travis CI customer data. We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access. Based on what we have found, we do not believe this is an issue or risk to our customers" the company added on April 18.

Are you affected? Do you have concerns or thoughts you want to share? Pop us an email.

See also: 7 free cybersecurity tools your team should know