GitHub Attackers Stole Login Details Of 100K NPM Users

Today, GitHub announced that an attacker hacked into the login details for approximately 100,000 npm accounts in a security breach that occurred mid-April using stolen OAuth app tokens. These tokens were issued to Travis-CI and Heroku.

GitHub Attackers Stole Login Details Of 100K NPM Users

The threat actor successfully hacked into and stole data from private repositories of dozens of organizations.

GitHub reported this security breach three days after it was discovered.

After downloading multiple private npm repositories with stolen OAuth tokens, the threat actor increased their access to AWS using a compromised AWS key.

To prevent further hacking attempts, GitHub, Travis CI and Heroku revoked all OAuth tokens after the breach was discovered.

Greg Ose, Senior Vice President for Product Security Engineering at GitHub today stated that the company discovered that unknown threat actors had stolen the following data from npmcloud storage:

1. A 2015 archive of user data containing approximately 100k usernames, passwords and email addresses.

2. All private package metadata and manifests as of April 7, 2021.

3. Names and semVer of all published private packages as of April 10, 2022.

4. Private packages from two organizations.

Although the password hashes were generated with weak algorithms (PBKDF2 and salted SHA1), they could still be cracked to gain access to accounts. However, email verification would automatically block such attempts by all accounts that have been open since March 1, 2022 if they are not enrolled in 2FA.

GitHub is confident, after analyzing logs and events and checking hashes of all npm packages versions, that the actor didn’t modify any packages published in the registry or publish any updates to existing packages.

GitHub reset passwords for all impacted npm users, and notified all users and organizations whose data was accessed.

Follow these steps to rotate your NPM tokens. You can also reset the password to your npm account manually by clicking here

Clear text npm credentials discovered in internet logs

GitHub claims that it discovered plaintext credentials in logs internal to npm services while investigating the OAuth breach of April.

Fortunately, only GitHub employees had this information. However, login details were made public.

Credential data is found in internal logs. It includes npm acces tokens. This small amount of cleartext passwords are used to sign into npm accounts. There are also some GitHub Personal Access Tokens that are sent to npm.

Ose said that GitHub had discovered plaintext credentials for the npm registry following an internal investigation and further investigation not related to the OAuth token attack.

“This issue was resolved and logs containing plaintext credentials were deleted prior to the attack against npm.”

Related Posts:

🙏 Help Us By Sharing This Article 👇: