Full Report
On April 12, 2022, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.According to GitHu...
Analysis Summary
# Incident Report: Unauthorized Access via Third-Party OAuth Token Abuse
## Executive Summary
An unidentified threat actor leveraged stolen OAuth credentials from third-party integrators Heroku and Travis-CI to gain unauthorized access to GitHub repositories. The attacker prioritized the exfiltration of private data from dozens of organizations, including npm, using the broad permissions granted to these integration tokens. GitHub responded by revoking affected tokens, notifying victims, and coordinating with the compromised third-party vendors.
## Incident Details
- **Discovery Date:** April 12, 2022
- **Incident Date:** April 7, 2022 (approximate start of observed activity)
- **Affected Organizations:** GitHub, Heroku (Salesforce), Travis-CI, and dozens of downstream organizations (e.g., npm)
- **Sector:** Technology / Software Development
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 7 – April 12, 2022
- **Vector:** Abuse of stolen third-party OAuth tokens.
- **Details:** The attacker obtained OAuth user tokens issued to the Heroku and Travis-CI applications. These tokens were not stolen through a breach of GitHub itself, but likely via the providers or associated infrastructure.
### Lateral Movement
- **Method:** Using the stolen tokens, the attacker authenticated as the users who had authorized the Heroku or Travis-CI apps. This allowed the attacker to list organizations the users belonged to and identify target private repositories.
### Data Exfiltration/Impact
- **Details:** The attacker systematically downloaded private repository data from dozens of affected organizations. Notably, the threat actor accessed the **npm** internal infrastructure and downloaded snapshots of private repositories.
### Detection & Response
- **Discovery:** GitHub Security identified unauthorized access to their infrastructure via anomalous API patterns during a routine security review on April 12.
- **Response Actions:** GitHub revoked the compromised OAuth tokens, reached out to Heroku and Travis-CI to assist in their investigations, and notified all impacted organization owners.
## Attack Methodology
- **Initial Access:** Valid Accounts (OAuth Tokens).
- **Persistence:** Not applicable; relied on the validity of the stolen integration tokens.
- **Privilege Escalation:** Not applicable; used the existing "read" or "write" scopes assigned to the Heroku/Travis-CI apps.
- **Defense Evasion:** Use of legitimate OAuth tokens to mimic authorized developer activity.
- **Credential Access:** Theft of OAuth tokens from third-party integrators (outside GitHub's direct environment).
- **Discovery:** Automated enumeration of repositories and organizations accessible via the stolen tokens.
- **Lateral Movement:** Pivot from third-party integration access to internal GitHub repository content.
- **Collection:** Automated cloning/downloading of private git repositories.
- **Exfiltration:** Data transferred to attacker-controlled infrastructure via GitHub's API.
- **Impact:** Theft of proprietary source code and potential exposure of embedded secrets.
## Impact Assessment
- **Financial:** Indirect costs related to incident response, forensic auditing, and remediation for dozens of companies.
- **Data Breach:** Exfiltration of private source code from dozens of organizations; exposure of npm internal repository snapshots.
- **Operational:** Disruption to development workflows as integrations were severed to contain the threat.
- **Reputational:** Increased scrutiny on the security of the OAuth ecosystem and "supply chain" dependencies.
## Indicators of Compromise
- **Behavioral Indicators:**
- High-volume repository downloads via OAuth-authenticated sessions.
- API requests originating from unusual IP ranges (e.g., known VPNs or VPS providers).
- Use of the `Heroku` or `Travis-CI` OAuth application IDs to access organizations that do not actively use those services.
## Response Actions
- **Containment:** Revocation of all OAuth tokens issued to the Heroku and Travis-CI apps during the window of compromise.
- **Eradication:** GitHub and the affected third parties performed deep-dive forensics to ensure no backdoors were planted in the code.
- **Recovery:** Restoration of integration services only after new, secure tokens were re-issued and rotation protocols implemented.
## Lessons Learned
- **Key Takeaways:** Security is only as strong as the weakest link in the integration chain. A breach at a trusted third-party partner can lead to a full source code compromise.
- **Shortcomings:** Over-permissioned OAuth tokens (excessive scopes) allowed the attacker to move from a simple integration to downloading entire private codebases.
## Recommendations
- **Principle of Least Privilege:** Audit OAuth scopes and ensure third-party apps only have the minimum access required.
- **Token Rotation:** Implement regular rotation of integration secrets and OAuth tokens.
- **Monitoring:** Implement alerting for anomalous repository cloning activity, especially when performed by automated integration accounts.
- **Secret Scanning:** Actively scan repositories for hardcoded secrets, as source code theft often leads to secondary credential compromise.