GitHub was hacked. Source code is filtered from different repositories

In its latest security report, GitHub confirmed that a group of threat actors are using OAuth tokens from legitimate users to download information from private repositories. The campaign was detected a week ago and dozens of compromised repositories have already been seen, which were using OAuth applications maintained by Heroku and Travis-CI.

Mike Hanley, GitHub’s chief security officer, confirmed the incident by mentioning that even the platform uses some of the affected apps: “Our analysis suggests that threat actors could be mining the contents of the downloaded private repository, to which the stolen OAuth token had access, in search of secrets that could be used to move to another infrastructure.”

The list of affected applications includes:

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

GitHub’s security teams identified unauthorized access to their npm production infrastructure on April 12, when threat actors used a compromised AWS API key. This key could have been obtained by downloading some private npm repositories using the compromised tokens.

The tokens used for the attack were revoked when the platform identified the compromise. Hanley confirmed that the impact of the incident includes unauthorized access to private GitHub.com repositories, in addition to potential access to npm packages on its AWS S3 storage.

Even though threat actors could have stolen information from the compromised repositories, the platform has concluded that none of the packages were modified for malicious purposes: “npm uses an infrastructure independent of GitHub,” Hanley’s message ended.

Security teams on the platform are already working to notify affected users, in addition to maintaining an active investigation into the intrusion. To speed up the investigation, GitHub recommends users review their organizations’ audit logs, in addition to the security logs for each account to identify potential signs of attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites