Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis-CI as “highly targeted” in nature.
“This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories,” GitHub’s Mike Hanley said in an updated post.
The security incident, which it discovered on April 12, related to an unidentified attacker leveraging stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including NPM.
The Microsoft-owned company stated last week it is in the process to send a final set notifications to GitHub users who have either the Travis CI OAuth App integrations or Heroku enabled in their accounts.
According to a detailed step-by-step analysis carried out by GitHub, the adversary is said to have employed the stolen app tokens to authenticate to the GitHub API, using it to list all the organizations of affected users.
This was then succeeded by selectively choosing targets based on the listed organizations, following it up by listing the private repositories of valuable users accounts, before moving to clone some of those private repositories ultimately.
The company also reiterated that the tokens were not obtained via a compromise of GitHub or its systems, and that the tokens are not stored in their “original, usable formats,” which could be misused by an attacker.