GitHub OAuth breach compromises almost 100K users

The Hacker News reports that nearly 100,000 GitHub users had their NPM usernames and passwords, as well as email addresses compromised after GitHub's integration OAuth tokens were stolen last month. Attackers were also able to leverage the stolen OAuth tokens to obtain access to CSV files containing an archive of all NPM private packages' names and version numbers until April 10, as well as some private package data from two organizations, according to GitHub. Such compromise was achieved by threat actors through OAuth token exploitation to allow private NPM repository exfiltration, with the stolen AWS access keys then used to infiltrate the infrastructure of the registry. However, GitHub noted that the attackers did not alter any of the published packages nor added new versions of already available packages. "The attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories," said GitHub regarding the "highly targeted" campaign earlier this month.