Cyber Security

Nearly 100,000 NPM Users’ Credentials Stolen in GitHub OAuth Breach

Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of GitHub integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information.

“Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure,” Greg Ose said, adding the attacker then managed to obtain a number of files –

  • A database backup of skimdb.npmjs.com consisting of data as of April 7, 2021, including an archive of user information from 2015 and all private NPM package manifests and package metadata. The archive contained NPM usernames, password hashes, and email addresses for roughly 100,000 users
  • A set of CSV files encompassing an archive of all names and version numbers of published versions of all NPM private packages as of April 10, 2022, and
  • A “small subset” of private packages from two organizations
CyberSecurity

As a consequence, GitHub is taking the step of resetting the passwords of impacted users. It’s also expected to directly notify users with exposed private package manifests, metadata, and private package names and versions over the next couple of days.

The attack chain, as detailed by GitHub, involved the attacker abusing the OAuth tokens to exfiltrate private NPM repositories containing AWS access keys, and subsequently leveraging them to gain unauthorized access to the registry’s infrastructure.

That said, none of the packages published to the registry are believed to have been modified by the adversary nor were any new versions of existing packages uploaded to the repository.

Additionally, the company said the investigation into the OAuth token attack revealed an unrelated issue that involved the discovery of an unspecified “number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems.”

GitHub noted that it mitigated the problem prior to the discovery of the attack campaign and that it had purged the logs containing the plaintext credentials.

CyberSecurity

The OAuth theft, which GitHub uncovered on April 12, concerned an unidentified actor taking advantage of stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.

The Microsoft-owned subsidiary, earlier this month, called the campaign “highly targeted” in nature, adding “the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories.”

Heroku has since acknowledged that the theft of GitHub integration OAuth tokens further involved unauthorized access to an internal customer database, prompting the company to reset all user passwords.

Products You May Like

Articles You May Like

Mark Zuckerberg envisions a billion people in the metaverse spending hundreds of dollars each
Android Auto for Mobile Screens App Being Pulled Down; Replaced by Google Assistant Driving Mode: Report
House of the Dragon Poster Features Milly Alcock as a Young and Fierce Rhaenyra Targaryen
Social Media Should Act in Accordance With Indian Laws, Cannot Contravene the Rights of Citizens: MeitY
US Tech Industry Fears Handing Over Data on Abortion to State Government After Verdict in Roe vs Wade Trail

Leave a Reply

Your email address will not be published.