Cloud-based repository hosting service GitHub has shared additional details on the April security incident when hackers breached dozens of organizations using stolen OAuth user tokens issued to third-party OAuth integrators Heroku and Travis-CI.
Greg Ose, Senior Director for Product Security Engineering at GitHub, said in an updated blog post that further investigation into the breach revealed that malicious actors were able to escalate access to npm infrastructure and steal data from npm cloud storage, including an archive of user information from 2015 containing npm usernames, password hashes, and email addresses for roughly 100k npm users; all private npm package manifests and package metadata as of April 7, 2021; a series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022; private packages from two organizations.
GitHub said it is confident that the attackers did not alter any published packages in the registry, or publish any new versions to existing packages.
During another investigation, unrelated to the OAuth token breach, the company discovered a number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems. This issue was mitigated before the attack on npm occurred.