Security News > 2022 > May > Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

Cloud-based repository hosting service GitHub on Friday shared additional details into the theft of GitHub integration OAuth tokens last month, noting that the attacker was able to access internal NPM data and its customer information.

"Using stolen OAuth user tokens originating from two third-party integrators, Heroku and Travis CI, the attacker was able to escalate access to NPM infrastructure," Greg Ose said, adding the attacker then managed to obtain a number of files -.

The attack chain, as detailed by GitHub, involved the attacker abusing the OAuth tokens to exfiltrate private NPM repositories containing AWS access keys, and subsequently leveraging them to gain unauthorized access to the registry's infrastructure.

The company said the investigation into the OAuth token attack revealed an unrelated issue that involved the discovery of an unspecified "Number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems."

The OAuth theft, which GitHub uncovered on April 12, concerned an unidentified actor taking advantage of stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM. The Microsoft-owned subsidiary, earlier this month, called the campaign "Highly targeted" in nature, adding "The attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories."

Heroku has since acknowledged that the theft of GitHub integration OAuth tokens further involved unauthorized access to an internal customer database, prompting the company to reset all user passwords.

News URL

https://thehackernews.com/2022/05/nearly-100000-npm-users-credentials.html