An unknown threat actor is harvesting data from private code repositories, with the help of stolen OAuth user tokens issued to Heroku and Travic-CI.
As reported by GitHub, by last Tuesday, the threat actor managed to steal data from “dozens of victims”.
“The applications maintained by these integrators were used by GitHub users, including GitHub itself,” said Mike Hanley, Chief Security Officer at GitHub.
No credentials stolen
Hanley went on to explain that the attacker did not obtain these tokens as a result of a breach at GitHub, which did not store the stolen tokens in their original, usable format.
“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure,” he added.
Hanley said affected OAuth applications include Heroku Dashboard (ID: 145909 and ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831), and Travis CI (ID: 9216).
The attacker was spotted on April 12, when they tried to use a compromised AWS API key to access GitHub’s npm production infrastructure. It’s speculated that the attacker found the API key when downloading multiple private npm repositories.
“Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications,” Hanley further explained.
“npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack,” Hanley said. “Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”