GitHub Announces 100,000 npm Users’ Credentials Stolen

GitHub has announced that 100,000 npm user information was stolen through OAuth tokens linked to Heroku and Travis CI. It was previously stated that there was a security breach in mid-April, but detailed information was not provided.

The campaign was carried out by a threat actor and detected on April 12, it was stated that attackers might have accessed many organizations’ data using OAuth applications. “They gained access to npm production infrastructure,” says GitHub regarding this security breach.

GitHub, Travis CI, and Heroku Revoke OAuth Tokens

According to cybersecurity researchers’ reviews, threat actors were able to download private npm repositories using the OAuth user tokens they obtained in the first stage. In this way, attackers who obtained AWS access keys used these keys to escalate their access.

Immediately after the security breach was discovered, GitHub, Travis CI, and Herkou announced revoking all their OAuth tokens to prevent new attacks.

What’s in the Stolen npm Repositories?

Greg Ose, Senior Director of Product Security Engineering at GitHub, said that the following data was stolen from npm cloud repositories as a result of the company’s investigation:

100,000 npm usernames, password hashes, and email addresses from the 2015 user information archive
All custom package notices and metadata as of April 7, 2021
Names and semVer of all special packs released as of April 10, 2022
Special packages for two organizations

Although password hashes are generated using weak algorithms and can be easily cracked for account takeover, attack attempts will be blocked automatically as email verification is enabled on all accounts from March 1, 2022.

What to Do for Remediation?

GitHub has alerted all organizations and users whose data was compromised by the attacker, resetting the passwords of all npm users affected by the breach.

Here’s what needs to be done to revoke npm tokens. You can also click here to manually reset the npm account password.