On Friday, GitHub, a cloud-based repository hosting service, disclosed that it had identified evidence of an unknown adversary using stolen OAuth user credentials to extract sensitive data from various businesses illegally.
“An attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM,” said GitHub’s Mike Hanley.
Apps and services generally use OAuth access tokens to grant access to particular areas of a user’s data and interact with one another without divulging the user’s real credentials. It is one of the most frequent ways for a single sign-on (SSO) provider to give authorization to another application.
As of April 15, 2022, the following OAuth apps are affected:
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831), and
- Travis CI (ID: 9216)
According to the company, OAuth tokens are not alleged to have been gained through a breach of GitHub or its systems because it does not store them in their original, useable states. Moreover, GitHub alerted that the threat actor may be evaluating the downloaded private repository contents from target organizations employing these third-party OAuth applications to gain additional secrets that may be used to pivot to other sections of their infrastructure.
On April 12, the Microsoft-owned platform discovered early signs of the hacking effort when unauthorized access to its NPM production environment was gained through a hacked AWS API key. This key is thought to have been acquired by using the stolen OAuth token from one of the two impacted OAuth applications to download a series of unnamed private NPM repositories. According to GitHub, the access tokens linked with the affected apps have subsequently been withdrawn.
“At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials,” said the company, adding it is currently looking into if the attacker saw or downloaded private packages. GitHub also stated that it is looking to identify and notify all known-affected victim individuals and organizations within the next 72 hours.