Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators

In April 2022, GitHub identified a security incident involving the misuse of OAuth tokens issued to third-party services Heroku and Travis CI, which were used by an attacker to access private repositories on GitHub.com. The attack began on April 12 when GitHub Security detected unauthorized access to npm's production infrastructure using a compromised AWS API key, believed to have been obtained through the compromised OAuth tokens. GitHub immediately contacted Heroku and Travis CI to initiate security investigations, revoke the affected OAuth tokens, and notify users. The affected tokens were not stored by GitHub in their original format, indicating that the breach did not occur through GitHub's systems directly. GitHub has notified the known victims of the attack and continues to monitor the situation while advising users to review their authorized OAuth applications for any anomalies. The company remains committed to protecting its ecosystem and is working closely with Heroku and Travis CI to mitigate the impact of the breach.