Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators
On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. The applications maintained by these integrators were used by GitHub users, including GitHub itself. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14; more detail is available below and we will update this blog as we learn more.
The investigating is still ongoing. This post will be updated once we know more. In SilverKey we rely on GitHub to manage all of our development process. We are glad that they are open and vigilants in regards on security threats and breaches to their systems.