Stolen OAuth tokens used to exfiltrate private data

By
Niranjan Maharajh
May 13, 2022
2
min read
Share this post

GitHub reported that threat actors used stolen OAuth user tokens to exfiltrate private data from several organizations. Threat actors abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.

The threat actors allegedly obtained the AWS API key by downloading a set of unspecified private NPM repositories using the stolen OAuth token from one of the two affected OAuth applications. GitHub revoked the access tokens associated with the affected apps.

Threat actors may are harvesting sensitive data from private repositories using stolen OAuth token, known-affected OAuth applications as of April 15 are:

  • Heroku Dashboard (ID: 145909)
  • Heroku Dashboard (ID: 628778)
  • Heroku Dashboard – Preview (ID: 313468)
  • Heroku Dashboard – Classic (ID: 363831)
  • Travis CI (ID: 9216)

Read more here.

Share this post
Niranjan Maharajh

Try the Professional Plan Free for 2 Weeks!

Explore all features of PMM for 2 weeks to see how it can simplify your post-market surveillance. If you cancel before the trial ends, your credit card will not be charged