GitHub reveals that 100K npm user accounts compromised

Kumud Rathore

May 27, 2022

Github discloses login details of roughly 100,000 npm accounts by mid-April, data was breached with stolen OAuth apps token issued to Heroku and Travis-CI. Threats were escalated with a compromised AWS access key, after downloading multiple private npm repositories using the stolen OAuth user tokens. GitHub, Travis CI, and Heroku revoked all OAuth tokens to block further hacking attempts. Breached data included all private package manifests and metadata of April 7, 2021. Password hashes are generated operating weak hashing algorithms like PBKDF2 or salted SHA1 and can be cracked to take over accounts. Attempts would be automatically blocked by email verification enabled on all accounts since March 1, 2022, if they're not enrolled in 2FA. GitHub resets all passwords of affected npm users and informs all organizations and users whose data has been accessed by the attacker. Data found in internal logs includes npm access tokens, a few of cleartext passwords exploited to sign in to npm accounts, and some GitHub Personal Access Tokens sent to npm services. GitHub uncovered numerous plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems

Abridged fromBleeping Computer