Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as “highly targeted” in nature.
“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories,” GitHub’s Mike Hanley said in an updated post.
The security incident, which it discovered on April 12, related to an unidentified attacker leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.
The Microsoft-owned company said last week that it’s in the process of sending a final set of notifications to GitHub customers who had either the Heroku or Travis CI OAuth app integrations authorized in their accounts.
According to a detailed step-by-step analysis carried out by GitHub, the adversary is said to have employed the stolen app tokens to authenticate to the GitHub API, using it to list all the organizations of affected users.
This was then succeeded by selectively choosing targets based on the listed organizations, following it up by listing the private repositories of valuable users accounts, before moving to clone some of those private repositories ultimately.
The company also reiterated that the tokens were not obtained via a compromise of GitHub or its systems, and that the tokens are not stored in their “original, usable formats,” which could be misused by an attacker.