Nearly 100,000 NPM Users' Credentials Stolen in GitHub OAuth Breach

 

According to GitHub, the attackers were able to obtain the credentials of over 100K NPM users during the April incident. GitHub discovered threat actors in April who were utilising stolen OAuth user credentials to get access to their repositories and take confidential data from other companies.

The attackers utilised stolen OAuth user tokens granted to Heroku and Travis-CI, two third-party OAuth integrators, to extract data from dozens of firms, including npm. The attacker did not gain these tokens through a compromise of GitHub or its systems, according to GitHub. The stolen tokens used to access the repositories are not kept by GitHub in their original, useable formats. 

On April 12, the business initiated an inquiry into a series of unlawful accesses to data kept in hundreds of organisations' repositories. On April 12, the experts discovered the incident when the company's security team discovered unauthorised access to their npm production infrastructure via a hacked AWS API key. Using the stolen OAuth token from one of the two compromised OAuth applications, the threat actors reportedly got the AWS API key by downloading a series of unnamed private NPM repositories. The access tokens connected with the impacted applications were revoked by GitHub. 

 According to an update released by the Microsoft-owned firm, the attackers were able to elevate access to npm infrastructure and view the following files exfiltrated from npm cloud storage: 

• A backup of skimdb.npmjs.com containing data from April 7, 2021, with the following information:An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100k npm users.
• All private npm package manifests and package metadata as of April 7, 2021. 
• A series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022. 
• Private packages from two organizations. 

According to the log analysis and package hash verification, the attackers did not edit any packages in the repository or post any new versions of existing packages. 

A separate investigation uncovered a number of plaintext user credentials for the npm registry that were acquired in internal logs as a result of the integration of npm with GitHub logging systems. The organisation is changing impacted users' passwords and contacting them through email.

“Passwords belonging to the impacted users of the accessed database backup have been reset and these users are being notified. The two organizations that had private packages stolen were notified immediately after analysis confirmed the activity. Over the next few days, we will directly notify those with exposed private package manifests, metadata, and private package names and versions.” concludes the announcement.