GitHub: Nearly 100,000 NPM Users’ credentials stolen in the April OAuth token attack

Pierluigi Paganini May 28, 2022

GitHub provided additional details into the theft of its integration OAuth tokens that occurred in April, with nearly 100,000 NPM users’ credentials.

GitHub provided additional details about the incident that suffered in April, the attackers were able to steal nearly 100K NPM users’ credentials.

In April, GitHub uncovered threat actors using stolen OAuth user tokens to gain access to their repositories and download private data from several organizations.

The attackers abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. GitHub excluded that the attacker obtained these tokens via a compromise of GitHub or its systems, the company explained that the stolen tokens used to access the repositories are not stored by GitHub in their original, usable formats. 

On April 12, the company launched an investigation into a series of unauthorized access to data stored in repositories of dozens of organizations. The experts first detected the intrusion on April 12 when the company’s security team identified unauthorized access to their npm production infrastructure using a compromised AWS API key.

The threat actors allegedly obtained the AWS API key by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub revoked the access tokens associated with the affected apps.

Now the Microsoft-owned company provided an update on the incident, the attackers were able to escalate access to npm infrastructure and access the following files exfiltrated from npm cloud storage:

  • A backup of containing data from April 7, 2021, with the following information:An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100k npm users.
  • All private npm package manifests and package metadata as of April 7, 2021.
  • A series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022.
  • Private packages from two organizations.

The analysis of the log and package hash verification, suggests that the attackers did not modify any package in the repository or publish any new versions of existing packages.

An additional investigation, unrelated to the OAuth token attack, revealed a number of plaintext user credentials for the npm registry that were collected in internal logs as a result of the integration of npm into GitHub logging systems.

The company is resetting the passwords of impacted users and notifying users by email.

“Passwords belonging to the impacted users of the accessed database backup have been reset and these users are being notified. The two organizations that had private packages stolen were notified immediately after analysis confirmed the activity. Over the next few days, we will directly notify those with exposed private package manifests, metadata, and private package names and versions.” concludes the announcement.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Github)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment