FloatingFatMan Posted April 19, 2022 Share Posted April 19, 2022 Kinda surprised this isn't all over tech news sites... Quote GitHub hacked after Heroku, Travis-CI 0auth tokens stolen in upstream attack An unknown attacker breached GitHub to download data from scores of private code repositories including that of npm — the world’s largest software registry with 75 billion downloads a month — the company has confirmed in a hugely troubling cybersecurity incident. GitHub says it and other affected companies were compromised after the attacker stole authentication tokens from two other upstream software firms. GitHub Security confirmed the breach on April 18, saying it spotted unauthorised access to its own npm production infrastructure using a compromised AWS API key on April 12 as part of the evolving incident. (GitHub operates numerous microservices and databases underpinning production infrastructure for the npm registry; a JavaScript code hub and the largest software registry in the world, which it bought in 2020.) GitHub said it saw “unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage… we assess that the attacker did not modify any packages or gain access to any user account data or credentials.” https://thestack.technology/github-hacked-npm-data-downloaded-in-an-evolving-supply-chain-attack/amp/ goretsky 1 Share Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/ Share on other sites More sharing options...
adrynalyne Posted April 19, 2022 Share Posted April 19, 2022 Oof. Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727644 Share on other sites More sharing options...
FloatingFatMan Posted April 19, 2022 Author Share Posted April 19, 2022 On 19/04/2022 at 20:03, adrynalyne said: Oof. Indeed. Thousands of companies use GitHub as code repositories... Including mine! Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727647 Share on other sites More sharing options...
adrynalyne Posted April 19, 2022 Share Posted April 19, 2022 (edited) On 19/04/2022 at 12:06, FloatingFatMan said: Indeed. Thousands of companies use GitHub as code repositories... Including mine! We use Azure DevOps, but like many, an eff ton of node packages. I didn't see it in the article, but wish we knew who the compromised customers were to check. Unless it was just Travis-CI and Heroku? Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727649 Share on other sites More sharing options...
FloatingFatMan Posted April 19, 2022 Author Share Posted April 19, 2022 On 19/04/2022 at 20:12, adrynalyne said: We use Azure DevOps, but like many, an eff ton of node packages. I didn't see it in the article, but wish we knew who the compromised customers were to check. Unless it was just Travis-CI and Heroku? AFAIK, they're notifying affected clients individually. We got a security alert about it this morning from our IT department so pretty much every single team was in panic stations mode... Funny thing is, we used to use TFS on our own servers but moved everything to GitHub last year to save costs! DOH! Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727653 Share on other sites More sharing options...
adrynalyne Posted April 19, 2022 Share Posted April 19, 2022 On 19/04/2022 at 12:22, FloatingFatMan said: AFAIK, they're notifying affected clients individually. We got a security alert about it this morning from our IT department so pretty much every single team was in panic stations mode... Funny thing is, we used to use TFS on our own servers but moved everything to GitHub last year to save costs! DOH! Oof. I seem to be saying that a lot. I was a proponent of GH but was overruled. Blessing in disguise I guess. 😁 FloatingFatMan 1 Share Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727658 Share on other sites More sharing options...
GSDragoon Posted April 19, 2022 Share Posted April 19, 2022 This sounds like keys from companies that use GitHub got compromised and not so much "GitHub got hacked". +illumination and +Matthew S. 2 Share Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727668 Share on other sites More sharing options...
+illumination Subscriber² Posted April 20, 2022 Subscriber² Share Posted April 20, 2022 (edited) On 19/04/2022 at 22:10, GSDragoon said: This sounds like keys from companies that use GitHub got compromised and not so much "GitHub got hacked". I agree. My understanding of the article is that some Heroku tokens were compromised and those allowed access to some client tokens which in turn allowed access to private Github repositories. It's not clear to me on the impact to npm, but I guess they were one of the Heroku clients that were compromised. Link to comment https://www.neowin.net/forum/topic/1417353-github-hacked-npm-data-stolen-after-0auth-tokens-stolen-in-upstream-breach/#findComment-598727785 Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now