GitHub has said it's investigating an attack using stolen OAuth tokens issued by two third-party OAuth integrators, where the attacker downloaded data from many organizations, including npm.

The investigation is ongoing, but users should be aware of the investigation and should take action accordingly.

Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.

Known-affected OAuth applications as of April 15, 2022:

Heroku Dashboard (ID: 145909)
Heroku Dashboard (ID: 628778)
Heroku Dashboard – Preview (ID: 313468)
Heroku Dashboard – Classic (ID: 363831)
Travis CI (ID: 9216)

We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.

[github.blog...]