Tue | May 31, 2022 | 9:26 AM PDT

A little over one month ago, on April 15th, GitHub announced it fell victim to a cyberattack in which malicious threat actors utilized stolen OAuth user tokens issued by third-party integrators Heroku and Travis CI.

This week, the code hosting platform revealed more information about the incident, sharing that the threat actor was able to escalate access to internal infrastructure of npm, the package manager for the Node JavaScript platform.

Greg Ose, Senior Director for Product Security Engineering at GitHub, said this about the incident:

"On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis CI, to download data from dozens of GitHub.com organizations. One of the victim organizations impacted was npm. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats. 

Following the discovery of npm's initial compromise, GitHub investigated the impact to npm. Based on this analysis, we have evidence the actor was able to access internal npm data and npm customer information."

He also shared that the attacker accessed the following information:

  • "Approximately 100k npm usernames, password hashes, and email addresses from a 2015 archive of user information."
  • "All private package manifests and metadata as of April 7, 2021."
  • "Names and the semVer of published versions of all private packages as of April 10, 2022."
  • "Private packages from two organizations."

GitHub is confident the attacker did not modify any published packages in the registry or publish any new versions to existing packages.

A breakdown of the entire attack chain can be found here.

The company is taking the necessary steps to remediate the situation, which include resetting passwords for affected users, notifying the two organizations that had their information stolen, and directly contacting those with exposed private package manifests, metadata, and names and versions.