Today, GitHub announced that an attacker hacked into the login details for approximately 100,000 npm accounts in a security breach that occurred mid-April using stolen OAuth app tokens. These tokens were issued to Travis-CI and Heroku.
The threat actor successfully hacked into and stole data from private repositories of dozens of organizations.
GitHub reported this security breach three days after it was discovered.
After downloading multiple private npm repositories with stolen OAuth tokens, the threat actor increased their access to AWS using a compromised AWS key.
Greg Ose, Senior Vice President for Product Security Engineering at GitHub today stated that the company discovered that unknown threat actors had stolen the following data from npmcloud storage:
1. A 2015 archive of user data containing approximately 100k usernames, passwords and email addresses.
2. All private package metadata and manifests as of April 7, 2021.
3. Names and semVer of all published private packages as of April 10, 2022.
4. Private packages from two organizations.
Although the password hashes were generated with weak algorithms (PBKDF2 and salted SHA1), they could still be cracked to gain access to accounts. However, email verification would automatically block such attempts by all accounts that have been open since March 1, 2022 if they are not enrolled in 2FA.
GitHub is confident, after analyzing logs and events and checking hashes of all npm packages versions, that the actor didn’t modify any packages published in the registry or publish any updates to existing packages.
GitHub reset passwords for all impacted npm users, and notified all users and organizations whose data was accessed.
Clear text npm credentials discovered in internet logs
GitHub claims that it discovered plaintext credentials in logs internal to npm services while investigating the OAuth breach of April.
Fortunately, only GitHub employees had this information. However, login details were made public.
Credential data is found in internal logs. It includes npm acces tokens. This small amount of cleartext passwords are used to sign into npm accounts. There are also some GitHub Personal Access Tokens that are sent to npm.
Ose said that GitHub had discovered plaintext credentials for the npm registry following an internal investigation and further investigation not related to the OAuth token attack.
“This issue was resolved and logs containing plaintext credentials were deleted prior to the attack against npm.”
- Do You Know About This: GitHub’s npm Gave Away A Package Name While It Was In Use
- Do You Know About This: GitHub Copilot Generated Insecure Code In 40% Of Circumstances During Experiment
- Do You Know About This: GitHub’s Commercial AI Tool Copilot Facing Criticism From Open-Source Community For Blind Copying Of Blocks Of Code
- Do You Know About This: Developer Gets Suspended After Intentionally Damaging GitHub
- Do You Know About This: GitHub Copilot Is ‘Unacceptable And Unjust’ Says Free Software Foundation