SOCRadar® Cyber Intelligence Inc. | GitHub Announces 100,000 npm Users’ Credentials Stolen


May 30, 2022
3 Mins Read

GitHub Announces 100,000 npm Users’ Credentials Stolen

GitHub has announced that 100,000 npm user information was stolen through OAuth tokens linked to Heroku and Travis CI. It was previously stated that there was a security breach in mid-April, but detailed information was not provided.

The campaign was carried out by a threat actor and detected on April 12, it was stated that attackers might have accessed many organizations’ data using OAuth applications. “They gained access to npm production infrastructure,” says GitHub regarding this security breach.

GitHub, Travis CI, and Heroku Revoke OAuth Tokens

According to cybersecurity researchers’ reviews, threat actors were able to download private npm repositories using the OAuth user tokens they obtained in the first stage. In this way, attackers who obtained AWS access keys used these keys to escalate their access.

Immediately after the security breach was discovered, GitHub, Travis CI, and Herkou announced revoking all their OAuth tokens to prevent new attacks.

What’s in the Stolen npm Repositories?

Greg Ose, Senior Director of Product Security Engineering at GitHub, said that the following data was stolen from npm cloud repositories as a result of the company’s investigation:

  • 100,000 npm usernames, password hashes, and email addresses from the 2015 user information archive
  • All custom package notices and metadata as of April 7, 2021
  • Names and semVer of all special packs released as of April 10, 2022
  • Special packages for two organizations

Although password hashes are generated using weak algorithms and can be easily cracked for account takeover, attack attempts will be blocked automatically as email verification is enabled on all accounts from March 1, 2022.

What to Do for Remediation?

GitHub has alerted all organizations and users whose data was compromised by the attacker, resetting the passwords of all npm users affected by the breach.

Here’s what needs to be done to revoke npm tokens. You can also click here to manually reset the npm account password.


With SOCRadar® Free Edition, you’ll be able to:

  • Prevent Ransomware attacks with Free External Attack Surface Management
  • Get Instant alerts for fraudulent domains against phishing and BEC attacks
  • Monitor Deep Web and Dark Net for threat trends
  • Get vulnerability intelligence when a critical zero-day is disclosed
  • Get IOC search & APT tracking & threat hunting in one place
  • Get notified with data breach detection

Free for 12 months for one corporate domain and 100 auto-discovered digital assets.
Get Free Access.