Attacker Accessed Dozens of Repositories After OAuth Token Theft

GitHub has revealed that dozens of organizations were compromised by a data thief that used stolen OAuth tokens to access their private repositories.

The developer platform’s security team opened an investigation into the campaign around a week ago and had finally notified all the identified victims by yesterday.

GitHub CSO, Mike Hanley, claimed that third-party OAuth user tokens maintained by Heroku and Travis CI were abused by the attacker. However, it’s not thought they were stolen via a compromise of GitHub itself as the platform doesn’t store the tokens in their original, usable format, he added.

“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure,” Hanley explained.

Among the organizations impacted is software registry npm.

“The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key,” said Hanley.

“Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above.”

After discovering the broader campaign, GitHub’s security team revoked tokens associated with GitHub and npm’s internal use of the compromised OAuth apps.

The Travis CI team said yesterday that it had revoked and reissued all private customer auth keys and tokens integrating Travis CI with GitHub but that it doesn’t believe the issue is a risk to customers.

“On April 15 2022, Travis CI personnel were informed that certain private customer repositories may have been accessed by an individual who used a man-in-the-middle 2FA attack, leveraging a third-party integration token,” it said.

“Upon further review that same day, Travis CI personnel learned that the hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku and Travis CI application. This key does not provide access to any Travis CI customer repositories or any Travis CI customer data. We thoroughly investigated this issue and found no evidence of intrusion into a private customer repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide that type of access.”

Heroku has revoked all OAuth tokens from the Heroku Dashboard GitHub integration and has temporarily suspended the issuing of tokens from the Heroku Dashboard.

Leave a Reply