Security News > 2022 > May > GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as "Highly targeted" in nature.
"This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," GitHub's Mike Hanley said in an updated post.
The security incident, which it discovered on April 12, related to an unidentified attacker leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM. The Microsoft-owned company said last week that it's in the process of sending a final set of notifications to GitHub customers who had either the Heroku or Travis CI OAuth app integrations authorized in their accounts.
According to a detailed step-by-step analysis carried out by GitHub, the adversary is said to have employed the stolen app tokens to authenticate to the GitHub API, using it to list all the organizations of affected users.
The company also reiterated that the tokens were not obtained via a compromise of GitHub or its systems, and that the tokens are not stored in their "Original, usable formats," which could be misused by an attacker.
"Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications," GitHub noted.
News URL
https://thehackernews.com/2022/05/github-says-recent-attack-involving.html
Related news
- GitVenom attacks abuse hundreds of GitHub repos to steal crypto (source)
- Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks (source)
- GitHub Uncovers New ruby-saml Vulnerabilities Allowing Account Takeover Attacks (source)
- Fake "Security Alert" issues on GitHub use OAuth app to hijack accounts (source)
- GitHub supply chain attack spills secrets from 23,000 projects (source)
- Supply chain attack on popular GitHub Action exposes CI/CD secrets (source)
- Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos (source)
- GitHub Action hack likely led to another in cascading supply chain attack (source)
- GitHub Action supply chain attack exposed secrets in 218 repos (source)
- Critical GitHub Attack (source)