GitHub hacked, npm data stolen after Heroku and Travis-CI tokens abused

GitHub hacked after Heroku and Travis-CI 0auth tokens were stolen in upstream attack

An unknown attacker hacked GitHub to download data from dozens of private code repositories, including that of npm – the world’s largest software registry with 75 billion downloads per month – the company confirmed during a extremely disturbing cybersecurity incident. GitHub says it and other affected companies were compromised after the attacker stole authentication tokens from two other upstream software companies.

GitHub Security confirmed the breach on April 18, saying it spotted unauthorized access to its own production npm infrastructure using a compromised AWS API key on April 12 as part of the evolution of the incident. (GitHub leverages many of the microservices and databases that underpin the production infrastructure for the npm registry; a JavaScript code hub and the world’s largest software registry, which it bought in 2020.)

GitHub said it has seen “unauthorized access and downloading of the npm organization’s private repositories on and potential access to npm packages as they exist in AWS S3 storage…we believe that the attacker did not modify any packages or access any user account data or credentials.

GitHub hacked after accessing Heroku and Travis-CI 0auth tokens

Attackers appear to be using 0Auth – an industry standard authorization protocol – tokens stolen from software vendors Heroku and Travis-CI to launch the attacks, GitHub mentioned“We believe that compromised OAuth user tokens from OAuth applications managed by Heroku and Travis-CI were stolen and abused to download private repositories belonging to dozens of victim organizations… Our analysis of other behaviors from the threat actor suggests that actors can mine content from the downloaded private repository, which the stolen OAuth token had access to, for secrets that could be used to pivot to other infrastructure.

The following apps’ 0Auth tokens were abused, he said.

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Overview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Disturbingly, it appears Heroku and Travis-CI were unaware of the breach until GitHub notified them, with both claiming they took action after GitHub notified them of the breach.

from GitHub statement.

by Heroku statement.

Travis CI statement.

Casey Ellis, Technical Director of Crowd of insects noted in a comment emailed to The battery“The cloud has given us a huge range of security improvements, but convenience has a hidden downside – Ease of use also means it’s easier to do security monitoring, like not auditing , monitor or expire oauth keys.When oauth keys like the ones used in this attack cannot be stolen from a rogue database or repository, they are often gleaned from the client side using malware or browser-based attacks, then collected and aggregated by Initial Access Brokers, and resold to those who need to use them for a specific attack I suspect that’s what happened here, and the important lesson is that this type of layered threat is a present and active risk for anything hosted in the cloud.

Heroku is used by developers to deploy, run and manage cloud applications. It belongs to Salesforce. Travis CI is a continuous integration and continuous development (CI/CD) platform used by over 300,000 projects, including Ruby on Rails, Ember.js, OpenSSL, Puppet, and Logstash. Heroku mentioned it had effectively temporarily killed its GitHub integration in an effort to lessen the impact of the attack, telling users that “this will prevent you from deploying your applications from GitHub via the Heroku dashboard or via the Heroku automation”.

GitHub added that it has reached out to companies whose private repositories have been viewed.

The company added in an April 18 update on its blog: “We are still working to understand if the attacker viewed or downloaded any private information. [npm] packages. npm uses a completely separate infrastructure from; GitHub was unaffected by this initial attack. Although the investigation is ongoing, we have found no evidence that other private repositories belonging to GitHub have been cloned by the attacker using stolen third-party OAuth tokens.

Heroku, Travis-CI answer, lock the stable door…

Heroku added in a carefully worded statement: “On April 13, 2022, Salesforce Security was notified by GitHub that a subset of Heroku’s private GitHub repositories, including source code, was uploaded by a malicious actor on April 9, 2022. April 2022. Initial investigation, it appears that the unauthorized access to Heroku’s GitHub account was the result of a compromised OAuth token. Salesforce immediately disabled the compromised user’s OAuth tokens and disabled the compromised user’s GitHub account… GitHub reported that the threat actor was enumerating GitHub customer accounts using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub. Based on the information GitHub has shared with us, we are investigating how the threat actor gained access to the client’s OAuth tokens. Compromised tokens could provide the threat actor with access to customers’ GitHub repositories, but not to customers’ Heroku accounts. With access to the customer’s OAuth tokens, the threat actor can gain read and write access to the customer’s GitHub repositories connected to Heroku.

Travis CI said: “On April 15, 2022, Travis CI personnel were made aware that certain private customer repositories may have been accessed by someone who used a man-in-the-middle 2FA attack, exploiting a third-party integration token. Immediately upon learning of this information, Travis CI immediately revoked all authorization keys and tokens preventing further access to our systems. No customer data was exposed and no further access was possible. After further investigation the same day, Travis CI staff learned that the hacker breached a Heroku service and accessed a private application OAuth key used to integrate the Heroku application and Travis CI. This key does not provide access to any Travis CI customer repositories or any Travis CI customer data. We thoroughly investigated this issue and found no evidence of intrusion into a private client repository (i.e. source code) as the OAuth key stolen in the Heroku attack does not provide this type of access. Based on what we have found, we do not believe this is an issue or risk for our customers. added April 18.

Are you concerned? Do you have any concerns or thoughts you want to share? Email us.

See also: 7 free cybersecurity tools your team should know

Comments are closed.