According to representatives of the GitHub service, as a result of the April hack using Heroku and Travis-CI OAuth tokens, attackers stole authorization data for about 100 thousand npm accounts.
Hackers have successfully hacked and stolen data from closed repositories belonging to dozens of organizations. They managed to gain further access using a compromised AWS access key obtained after downloading many private npm repositories, using stolen OAuth tokens at the first stage of the attack.
According to Greg Ose, senior director for secure product development at GitHub, during the investigation it was established that unknown attackers stole the following data from npm cloud storage:
About 100 thousand usernames, password hashes and email addresses from the archive for 2015;
All manifests and metadata of private packages as of April 7, 2021;
Names and semVer of published versions of all private packages as of April 10, 2022;
Private packages of two organizations.
Despite the fact that passwords are hashed using weak algorithms (PBKDF2 or SHA1 with salt added) and can be easily hacked, attempts to hack accounts will be automatically blocked by the email address verification mechanism enabled by default for each account where there is no two-factor authentication.
As the analysis of event logs and hashes for all versions of npm packages showed, the attackers did not modify or publish new packages or new versions of existing packages in the registry.
GitHub has reset all passwords of affected npm users and notified them accordingly.
During the investigation of the April hack, GitHub specialists also found unencrypted credentials in the internal logs of npm services, including npm access tokens, a small number of passwords for npm accounts and personal GitHub access tokens sent to npm services.