Security News > 2022 > May > GitHub: Attackers stole login details of 100K npm user accounts
GitHub revealed today that an attacker stole the login details of roughly 100,000 npm accounts during a mid-April security breach with the help of stolen OAuth app tokens issued to Heroku and Travis-CI. The threat actor successfully breached and exfiltrated data from private repositories belonging to dozens of organizations.
Approximately 100k npm usernames, password hashes, and email addresses from a 2015 archive of user information.
Although the password hashes were generated using weak hashing algorithms and could be cracked to take over accounts, such attempts would be automatically blocked by email verification enabled on all accounts since March 1, 2022, if they're not enrolled in 2FA. After log and event analysis and checking hashes for all npm package versions, GitHub "Is currently confident that the actor did not modify any published packages in the registry or publish any new versions to existing packages."
GitHub has reset all passwords belonging to impacted npm users and notifies all organizations and users whose data was accessed by the attacker.
While investigating the April OAuth breach, GitHub says it also found some plaintext credentials stored in internal logs for npm services.
"Following an internal discovery and additional investigation unrelated to the OAuth token attack, GitHub discovered a number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems," Ose added.