GitHub suffered a third-party breach after a malicious threat actor was discovered smuggling data out of the repository using stolen OAuth tokens.

OAuth tokens are a standard method for automating cloud services, such as code repositories and DevOps pipelines, explains Ray Kelly, Fellow at NTT Application Security. “These tokens are considered secrets for a good reason and are often “masked” with stars or not shown at all to help protect connected business services.”

If a token is compromised, a malicious actor can steal corporate IP or modify source code to initiate a supply chain attack that could spread malware or steal PII from unsuspecting customers, Kelly says. 

GitHub Security does not believe the attack obtained these tokens via a compromise of GitHub or its systems because GitHub does not store the tokens in question in their original, usable formats. In addition, GitHub Security has high confidence that compromised OAuth user tokens from Heroku and Travis-CI, third-party OAuth integrators, were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Chief Security Officer at GitHub Mike Hanley said, “The applications maintained by these integrators were used by GitHub users, including GitHub itself.”

Known-affected OAuth applications as of April 15, 2022:

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub Security contacted Heroku and Travis-CI to request that they initiate their security investigations, revoke all OAuth user tokens associated with the affected applications and begin work to notify their users.

Further analysis also revealed that the threat actor may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure, Hanley noted.

The compromise of OAuth user tokens and the source code breaches are just the latest examples of malicious actors gaining access to source code as part of sophisticated supply chain attacks, according to Prakash Linga, Co-Founder and CEO at BluBracket. “Organizations should operate as though their code could leak tomorrow and take action to ensure that it would be a non-threatening event if the code were to leak. Adopting tools and solutions that enable organizations to take an “early and often” automated approach to source code security is key. Tools that identify and eliminate risks help ensure that if the code does get out, it has a minimal impact on the company from a cost or risk perspective or no impact at all,” Linga says.