GitHub revealed today that an attacker stole the login details of roughly 100,000 npm accounts during a mid-April security breach with the help of stolen OAuth app tokens issued to Heroku and Travis-CI.
The threat actor successfully breached and exfiltrated data from private repositories belonging to dozens of organizations.
GitHub disclosed this security breach on April 15, three days after discovering the attack, when the malicious actor gained access to npm production infrastructure.
The threat actor escalated their access using a compromised AWS access key, acquired after downloading multiple private npm repositories using the stolen OAuth user tokens in the initial stage of the attack.
After the breach was discovered, GitHub, Travis CI, and Heroku revoked all OAuth tokens to block further hacking attempts.
Today, Greg Ose, Senior Director for Product Security Engineering at GitHub, said the company discovered during the investigation that the unknown threat actors stole the following data from npm cloud storage:
- Approximately 100k npm usernames, password hashes, and email addresses from a 2015 archive of user information.
- All private package manifests and metadata as of April 7, 2021.
- Names and the semVer of published versions of all private packages as of April 10, 2022.
- Private packages from two organizations.
However, although the password hashes were generated using weak hashing algorithms (i.e., PBKDF2 or salted SHA1) and could be cracked to take over accounts, such attempts would be automatically blocked by email verification enabled on all accounts since March 1, 2022, if they’re not enrolled in 2FA.
After log and event analysis and checking hashes for all npm package versions, GitHub “is currently confident that the actor did not modify any published packages in the registry or publish any new versions to existing packages.”
GitHub has reset all passwords belonging to impacted npm users and notifies all organizations and users whose data was accessed by the attacker.
Clear text npm credentials found in internet logs
While investigating the April OAuth breach, GitHub says it also found some plaintext credentials stored in internal logs for npm services.
Luckily, only GitHub employees had access to this information while these login details were exposed.
Credential data found in internal logs includes npm access tokens, a small number of cleartext passwords used to sign in to npm accounts, and some GitHub Personal Access Tokens sent to npm services.
“Following an internal discovery and additional investigation unrelated to the OAuth token attack, GitHub discovered a number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems,” Ose added.
“This issue was mitigated and logs containing the plaintext credentials were purged prior to the attack on npm.”