100,000 NPM users’ credentials stolen in the April cyberattack on GitHub

GitHub provided additional information about the cyber security incident that suffered in April, the threat actors were able to steal nearly 100K NPM users’ credentials.

In April, the firm uncovered threat actors using stolen OAuth user tokens to gain access to their repositories and download private data from several organizations.

The hackers abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. The firm excluded that the attacker obtained these tokens via a compromise of GitHub or its networks , the company explained that the stolen tokens used to access the repositories are not stored by GitHub in their original, usable formats.

On April 12, GitHub launched an investigation into a series of unauthorized access to data stored in repositories of dozens of organizations. The experts first detected the intrusion on April 12 when the company’s security team identified unauthorized access to their npm production infrastructure using a compromised AWS API key.

The threat actors allegedly obtained the AWS API key by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub revoked the access tokens associated with the affected apps.

Now the Microsoft-owned company provided an update on the incident, the attackers were able to escalate access to npm infrastructure and access the following files exfiltrated from npm cloud storage:

An additional investigation, unrelated to the OAuth token attack, revealed a number of plaintext user credentials for the npm registry that were collected in internal logs as a result of the integration of npm into GitHub logging systems.

US car giant General Motors also was hit by a credential stuffing attack last month that exposed customer data and allowed hackers to redeem rewards points for gift cards.