April 28, 2022

GitHub has confirmed a security breach that saw an attacker use stolen OAuth app tokens to steal private repositories from dozens of organizations.

The attack process involves authenticating the attacker authenticating to the GitHub API with the stolen oAuth tokens issues to Heroku and Travis CI, the attacker listing all of the user’s organizations, and the attacker selectively selects targets based on the organizations listed.

The attacker listed the private repositories for user accounts of interest, and the attacker then proceeded to clone some of those private repositories.

“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku,” GitHub said.

GitHub also shared guidelines that can assist customers in investigating logs for data exfiltration or malicious activity.

This includes checking all private repositories for secrets and credentials stored in them, checking oAuth applications authorized for a personal account, and adhering to GitHub policies to improve the security of their GitHub organizations.

Others include checking their account activity, personal access tokens, oAuth apps, and SSH keys for activity or changes that may have come from the attacker.

The sources for this piece include an article in BleepingComputer.