GitHub warned users against attackers who steal data from private repositories with stolen OAuth user tokens. According to the announcement, the campaign was first spotted on the 12 of April. The attacker is using Heroku and Travis-CI-maintained OAuth apps, including npm and managed to steal data from dozens of victims.
OAuth user tokens
GitHub stated that they contacted known victims of the token theft on the 18th of April. GitHub also stated that attacks may be ongoing and action is required for customers. Known-affected OAuth applications as of April 15, 2022:
- Heroku Dashboard (ID: 145909)
- Heroku Dashboard (ID: 628778)
- Heroku Dashboard – Preview (ID: 313468)
- Heroku Dashboard – Classic (ID: 363831)
- Travis CI (ID: 9216)

GitHub Security began an investigation on April 12. GitHub also stated that they don’t believe that these attackers obtained these tokens via a compromise of GitHub or its systems. These tokens are not stored by GitHub in their original, usable formats. The GitHub team shared the findings with Heroku and Travis-CI. Mike Hanley, Chief Security Officer of GitHub said,
« Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users.
GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours. »