January 22, 2025

Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of GitHub integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information.

“Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure,” Greg Ose said, adding the attacker then managed to obtain a number of files –

  • A database backup of skimdb.npmjs.com consisting of data as of April 7, 2021, including an archive of user information from 2015 and all private NPM package manifests and package metadata. The archive contained NPM usernames, password hashes, and email addresses for roughly 100,000 users
  • A set of CSV files encompassing an archive of all names and version numbers of published versions of all NPM private packages as of April 10, 2022, and
  • A “small subset” of private packages from two organizations

As a consequence, GitHub is taking the step of resetting the passwords of impacted users. It’s also expected to directly notify users with exposed private package manifests, metadata, and private package names and versions over the next couple of days.

The attack chain, as detailed by GitHub, involved the attacker abusing the OAuth tokens to exfiltrate private NPM repositories containing AWS access keys, and subsequently leveraging them to gain unauthorized access to the registry’s infrastructure.

That said, none of the packages published to the registry are believed to have been modified by the adversary nor were any new versions of existing packages uploaded to the repository.

Additionally, the company said the investigation into the OAuth token attack revealed an unrelated issue that involved the discovery of an unspecified “number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems.”

GitHub noted that it mitigated the problem prior to the discovery of the attack campaign and that it had purged the logs containing the plaintext credentials.

The OAuth theft, which GitHub uncovered on April 12, concerned an unidentified actor taking advantage of stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.

The Microsoft-owned subsidiary, earlier this month, called the campaign “highly targeted” in nature, adding “the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories.”

Heroku has since acknowledged that the theft of GitHub integration OAuth tokens further involved unauthorized access to an internal customer database, prompting the company to reset all user passwords.