An Attacker is Using Stolen OAuth Tokens to Steal Data From Private GitHub Repositories

Attacker stole $182 million from Beanstalk stablecoin protocol, State Department issues $5 million reward for N. Korea crypto thieves, Catalan civil groups and UK offices targeted with spyware, more

Heads-Up! Metacurity will be on a spring break from April 20th through April 29th. We aim to auto-post original content for our premium subscribers-only during this hiatus. So, sign up for a premium subscription today!

GitHub said that an attacker is using stolen OAuth user tokens (issued to Heroku and Travis-CI) to download data from private repositories.

Since the campaign was discovered on April 12, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm. GitHub says the attacker did not obtain these tokens via a compromise of GitHub or its systems because GitHub does not store the tokens in question in their original, usable formats.

The organization’s analysis suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure. While the attacker could steal dat…