GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI.
“Customers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications,” the company said in an updated post.
The incident originally came to light on April 12 when GitHub uncovered signs that a malicious actor had leveraged the stolen OAuth user tokens issued to Heroku and Travis-CI to download data from dozens of organizations, including NPM.
The Microsoft-owned platform also said that it will alert customers promptly should the ongoing investigation identify additional victims. Additionally, it cautioned that the adversary may also be digging into the repositories for secrets that could be used in other attacks.
Heroku, which has pulled support for GitHub integration in the wake of the incident, recommended that users have the option of integrating their app deployments with Git or other version control providers such as GitLab or Bitbucket.
Hosted continuous integration service provider Travis CI, in a similar advisory published on Monday, stated that it had “revoked all authorization keys and tokens preventing any further access to our systems.”
Stating that no customer data was exposed, the company acknowledged that the attackers breached a Heroku service and accessed a private application’s OAuth key that’s used to integrate both the Heroku and Travis CI apps.
But Travis CI reiterated that it found no evidence of intrusion into a private customer repository or that the threat actors obtained unwarranted source code access.
“Given the data we had and out of an abundance of caution, Travis CI revoked and reissued all private customer auth keys and tokens integrating Travis CI with GitHub to ensure no customer data is compromised,” the company said.