A mystery hacker is smuggling data out of private code repositories, GitHub warns
Data is being taken with the help of stolen OAuth user tokens
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
An unknown threat actor is harvesting data from private code repositories, with the help of stolen OAuth user tokens issued to Heroku and Travic-CI.
As reported by GitHub, by last Tuesday, the threat actor managed tosteal datafrom “dozens of victims".
“The applications maintained by these integrators were used by GitHub users, including GitHub itself,” said Mike Hanley, Chief Security Officer at GitHub.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
No credentials stolen
Hanley went on to explain that the attacker did not obtain these tokens as a result of a breach at GitHub, which did not store the stolen tokens in their original, usable format.
“Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure,” he added.
Hanley said affected OAuth applications include Heroku Dashboard (ID: 145909 and ID: 628778), Heroku Dashboard – Preview (ID: 313468), Heroku Dashboard – Classic (ID: 363831), and Travis CI (ID: 9216).
The attacker was spotted on April 12, when they tried to use a compromised AWS API key to access GitHub’s npm production infrastructure. It’s speculated that the attacker found the API key when downloading multiple private npm repositories.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
GitHub is making it easier to manage all your company’s accounts>Searching through your code just got easier in GitHub>All GitHub features are now free for everyone
“Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications,” Hanley further explained.
Whoever was behind the attack managed to stealdatafrom affected repositories, but most likely was not able to modify the packages, or obtainidentitydata, or accountpasswords.
“npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack,” Hanley said. “Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.”
ViaBleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Australian Beach Volleyball Tour live stream: How to watch bronze and gold medal matches online for free, finals, start time
