GitHub hacked, npm data stolen after 0auth tokens stolen in upstream breach

By FloatingFatMan
in Back Page News

 Share

Recommended Posts

Grand Master

FloatingFatMan

Posted
Posted

Kinda surprised this isn't all over tech news sites...

 

Quote

image.thumb.png.6cf81651987802010550d126d527ca8d.png

 

GitHub hacked after Heroku, Travis-CI 0auth tokens stolen in upstream attack

 

An unknown attacker breached GitHub to download data from scores of private code repositories including that of npm — the world’s largest software registry with 75 billion downloads a month — the company has confirmed in a hugely troubling cybersecurity incident. GitHub says it and other affected companies were compromised after the attacker stole authentication tokens from two other upstream software firms.

 

GitHub Security confirmed the breach on April 18, saying it spotted unauthorised access to its own npm production infrastructure using a compromised AWS API key on April 12 as part of the evolving incident. (GitHub operates numerous microservices and databases underpinning production infrastructure for the npm registry; a JavaScript code hub and the largest software registry in the world, which it bought in 2020.)

 

GitHub said it saw “unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage… we assess that the attacker did not modify any packages or gain access to any user account data or credentials.”

  

https://thestack.technology/github-hacked-npm-data-downloaded-in-an-evolving-supply-chain-attack/amp/

 

Grand Master

adrynalyne

Posted
Posted (edited)
On 19/04/2022 at 12:06, FloatingFatMan said:

Indeed.  Thousands of companies use GitHub as code repositories... Including mine!

We use Azure DevOps, but like many, an eff ton of node packages. I didn't see it in the article, but wish we knew who the compromised customers were to check. Unless it was just Travis-CI  and Heroku? 

Grand Master

FloatingFatMan

Posted
  • Author
Posted
On 19/04/2022 at 20:12, adrynalyne said:

We use Azure DevOps, but like many, an eff ton of node packages. I didn't see it in the article, but wish we knew who the compromised customers were to check. Unless it was just Travis-CI  and Heroku? 

AFAIK, they're notifying affected clients individually.  We got a security alert about it this morning from our IT department so pretty much every single team was in panic stations mode...

 

Funny thing is, we used to use TFS on our own servers but moved everything to GitHub last year to save costs!  DOH! :p 

Grand Master

adrynalyne

Posted
Posted
On 19/04/2022 at 12:22, FloatingFatMan said:

AFAIK, they're notifying affected clients individually.  We got a security alert about it this morning from our IT department so pretty much every single team was in panic stations mode...

 

Funny thing is, we used to use TFS on our own servers but moved everything to GitHub last year to save costs!  DOH! :p 

Oof. I seem to be saying that a lot. I was a proponent of GH but was overruled. Blessing in disguise I guess. 😁

  • FloatingFatMan
  • Like 1
Community Regular

+illumination Subscriber²

Posted
  • Subscriber²
Posted (edited)
On 19/04/2022 at 22:10, GSDragoon said:

This sounds like keys from companies that use GitHub got compromised and not so much "GitHub got hacked".

I agree. My understanding of the article is that some Heroku tokens were compromised and those allowed access to some client tokens which in turn allowed access to private Github repositories. It's not clear to me on the impact to npm, but I guess they were one of the Heroku clients that were compromised.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.