GitHub revealed at this time that an attacker stole the login particulars of roughly 100,000 npm accounts throughout a mid-April safety breach with the assistance of stolen OAuth app tokens issued to Heroku and Travis-CI.
The risk actor efficiently breached and exfiltrated information from non-public repositories belonging to dozens of organizations.
GitHub disclosed this safety breach on April 15, three days after discovering the assault, when the malicious actor gained entry to npm manufacturing infrastructure.
The risk actor escalated their entry utilizing a compromised AWS entry key, acquired after downloading a number of non-public npm repositories utilizing the stolen OAuth consumer tokens within the preliminary stage of the assault.
At the moment, Greg Ose, Senior Director for Product Safety Engineering at GitHub, stated the corporate found in the course of the investigation that the unknown risk actors stole the next information from npm cloud storage:
- Roughly 100k npm usernames, password hashes, and e-mail addresses from a 2015 archive of consumer data.
- All non-public bundle manifests and metadata as of April 7, 2021.
- Names and the semVer of printed variations of all non-public packages as of April 10, 2022.
- Non-public packages from two organizations.
Nonetheless, though the password hashes had been generated utilizing weak hashing algorithms (i.e., PBKDF2 or salted SHA1) and might be cracked to take over accounts, such makes an attempt can be mechanically blocked by e-mail verification enabled on all accounts since March 1, 2022, if they don’t seem to be enrolled in 2FA.
After log and occasion evaluation and checking hashes for all npm bundle variations, GitHub “is at the moment assured that the actor didn’t modify any printed packages within the registry or publish any new variations to current packages.”
GitHub has reset all passwords belonging to impacted npm customers and notifies all organizations and customers whose information was accessed by the attacker.
Clear textual content npm credentials present in web logs
Whereas investigating the April OAuth breach, GitHub says it additionally discovered some plaintext credentials saved in inside logs for npm providers.
Fortunately, solely GitHub staff had entry to this data whereas these login particulars had been uncovered.
Credential information present in inside logs consists of npm entry tokens, a small variety of cleartext passwords used to sign up to npm accounts, and some GitHub Private Entry Tokens despatched to npm providers.
“Following an inside discovery and extra investigation unrelated to the OAuth token assault, GitHub found plenty of plaintext consumer credentials for the npm registry that had been captured in inside logs following the combination of npm into GitHub logging methods,” Ose added.
“This subject was mitigated and logs containing the plaintext credentials had been purged previous to the assault on npm.”