Home » Technology » Attack On GitHub: data stolen from over 100,000 npm accounts

Attack On GitHub: data stolen from over 100,000 npm accounts

Back in April, hackers managed to steal numerous OAuth tokens from GitHub users, and thereby private files of many organizations. It has since been revealed that the attack has also stolen the credentials of more than 100,000 users who use “npm”.

This is from the official report of the research conducted by GitHub (via The register) from. Here the company lists which data can be stolen. Last month it was already known that “npm” also uses the third-party services Heroku and Travis-CI, with which the tokens were stolen. At that time, however, it was still unclear whether the hackers could also obtain user data.

Passwords saved in the plain text file

The report confirms that records have been tapped from more than 100,000 npm accounts. Since the passwords are hashed using the insecure algorithms PBKDF2 and SHA1, it is possible to obtain the original passwords. However, the data comes from an archive that was created in 2015. In addition to user data, all private package manifest files and npm metadata generated up to April 7, 2021 were stolen.

In addition, some npm services have passwords stored in internal plain text log files. While GitHub may have already notified compromised companies about the attack in April, the group emphasizes that it will again notify directly affected npm users whose passwords are stored in plain text about the incident. Just over a month ago, the version control service announced that hackers could steal numerous OAuth tokens and gain access to private source code.

This gives attackers the ability to more efficiently search for critical vulnerabilities in the programs. A few weeks ago, GitHub recommended that its users check the audit and security logs for suspicious activity. Although the hackers had access to many repositories, no changes were made to the packages.