![github tokens github tokens](https://ovh.github.io/cds/images/getting_started_build_tag_wf_11_set_token.png)
These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours. GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users. Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens. Npm uses completely separate infrastructure from GitHub was not affected in this original attack. We are still working to understand whether the attacker viewed or downloaded private packages. We believe that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on and potential access to the npm packages as they exist in AWS S3 storage.Īt this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm's internal use of these compromised applications.
![github tokens github tokens](https://2e8ram2s1li74atce18qz5y1-wpengine.netdna-ssl.com/wp-content/uploads/2019/08/GitHub-Token-Scanning-Security-0Auth-Repos-Tokens-Dice.png)
Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.
![github tokens github tokens](http://cdn.crunchify.com/wp-content/uploads/2014/11/Github-Generate-Token-Crunchify.png)
#Github tokens download#
Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats.
![github tokens github tokens](https://maxo.blog/wp-content/uploads/2018/03/github-settings.png)
GitHub's chief security officer wrote that on Tuesday, "GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm."