GitHub warned An attack users aimed at downloading data From private repositories using compromised OAuth token, generated for Heroku and Travis-Ci services. It is reported that during the attack there was a leakage of data from private repositories of certain organizations that opened access to repositories for the Heroku PAAs platform and the Travis-Ci continuous integration system. Among the victims turned out to be the company GitHub and the NPM project.
Attacking was able to extract from private repositories GitHub to access AMAZON Web Services API used in the NPM project infrastructure. The key obtained allowed access to NPM packets stored in the AWS S3 service. GitHub believes that despite access to the NPM repositories, it did not reach the modification of packages or receiving data related to user accounts. It is also noted that since the infrastructure of Github.com and NPM are divided, the attackers did not have time to load the contents of the internal Github repositories that are not associated with NPM, before the problem tokens were blocked.
Attack was fixed on April 12, after the attackers tried to use the key to API AWS. Later, similar attacks and some other organizations, which also used tokens of Heroku and Travis-Ci applications were also used. The affected organizations are not called, but all users who affected the attack, appropriate individual notifications sent. Users of Heroku and Travis-Ci applications recommended to explore the logs of Safety and audit to identify anomalies and atypical activity.
How tokens got into the hands of attacking is not yet clear, but GitHub believes that they are not obtained as a result of the company’s infrastructure compromising, since the tokens for authorization of access from external systems are not stored on the side of the GitHub in the source format suitable for use. Analysis of the attacking behavior showed that it is likely that the main purpose of loading the contents of private repositories is to analyze the presence of confidential data in them, such as access keys that could be used to continue the attack on other infrastructure elements.