The Ultimate Guide to Non-Human Identities Report Now Available

GitHub Repo Breach

NHI Mgmt Group

Overview

In April 2022, attackers exploited stolen OAuth tokens issued by third-party integrators Heroku and Travis CI to gain unauthorized access to GitHub repositories. These tokens, which were not acquired through a direct compromise of GitHub systems, allowed the attackers to access private repositories belonging to many organizations. Among the impacted entities was npm, which is a critical component for the Node.js environment.

What Went Wrong?

The attacker used stolen OAuth tokens issued to two popular third-party integration services, Heroku and Travis CI, to gain unauthorized access to repositories hosted on GitHub. OAuth tokens are widely used to grant secure, delegated access to resources, but when compromised, they pose severe risks.

GitHub then detected the breach on April 12, 2022, after identifying unauthorized access to its npm production infrastructure. Investigation revealed that the attacker obtained an AWS API key from private npm repositories accessed using the stolen OAuth tokens. The scope of the attack extended to downloading repository data and potentially searching for sensitive information, such as secrets or credentials, to escalate the breach into other infrastructure systems.

How Could This Happen?

Compromise of OAuth Tokens

OAuth tokens are used to authenticate third-party services with GitHub without requiring user credentials. In this case, tokens issued to Heroku and Travis CI were compromised. Possible scenarios for this compromise include:

  1. Third-party Platform Vulnerabilities - Attackers may have exploited a vulnerability in Heroku or Travis CI to extract stored tokens.

  2. Social Engineering - The attackers could have phished developers or system administrators, convincing them to inadvertently reveal their OAuth tokens or provide access to accounts.

  3. Secrets in Source Code - Private repositories often contain hardcoded secrets such as API keys, credentials, or tokens. Once attackers cloned the repositories:

    • They could use tools to extract sensitive information embedded in the code.

    • Extracted secrets enabled lateral movement into other systems, such as npm’s AWS infrastructure.

Impact of The Breach

The breach’s consequences were significant, particularly for npm, which was among the affected organizations. Here’s what the attackers accessed:

NPM Infrastructure:

  • Metadata and Package manifests for public and private packages.

  • An older backup of the skimdb.npmjs.com mirror, containing:

    • Private npm package manifests and metadata.

    • Archived user information from 2015, affecting approximately 100,000 npm user accounts.

    • Email addresses and password hashes (protected using PBKDF2).

  • Secrets like AWS keys embedded in repositories.

Organizations GitHub Repos:

  • A lot of organizations’ private repositories were exposed.

GitHub’s Response

GitHub responded swiftly to contain the attack:

  • Revoked Compromised Tokens: All OAuth tokens associated with Heroku and Travis CI were invalidated to prevent further misuse.

  • Notified Affected Parties: GitHub directly contacted organizations and individuals whose repositories were accessed.

  • Enhanced Security Measures: GitHub emphasized the importance of token auditing, secret scanning, and restricting OAuth application access.

  • Incident Investigation: Launched an investigation to assess the extent of the compromise and identify impacted repositories and users.

Lessons Learned

  • Secrets Management: Embedding secrets like API keys and AWS credentials in source code increases risk. Adopting secret management tools to store and access credentials securely is essential.

  • Incident Response Readiness: Having a robust incident response plan that includes revoking credentials, notifying users, and patching vulnerabilities can significantly reduce the impact of a breach.

  • Implement Expiration Policies: To ensure tokens expire after a short period of time to reduce their utility if compromised.

  • Zero Trust Architecture: Restricting production environment access and implementing principle-of-least privilege policies reduce the attack surface.

  • Continuous Monitoring: Continuous monitoring for anomalies in token usage and using automated tools to identify misconfigurations can help prevent similar incidents.

Conclusion

This breach demonstrates how interconnected systems can amplify the impact of a single compromise. The attackers leveraged stolen OAuth tokens to infiltrate private repositories, escalate their privileges, and access sensitive infrastructure like npm. This highlights the importance of secure token management, regular audits, and minimal permission configurations for third-party integrations.

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024