GitHub Explains How Attackers Compromised the NPM Repository and What Data Was Stolen

GitHub has offered a lot more details on the NPM data breach in April 2022 and explained how the attackers compromised the systems and what kind of data they stole.

The NPM repositories have been a point of contention in recent months. Some attackers used the platform to spread malware by hiding packages under names closely resembling the original ones. Also, GitHub announced sweeping changes to the entire repository by enforcing multi-factor authentication for all projects in an effort to curb man-in-the-middle attacks.

The April 2022 attack was more complex than bad actors simply abusing the naming system for some packages. According to the GitHub analysis, the attackers used OAuth user tokens issued to two third-party GitHub.com integrators, Heroku and Travis CI. They lifted a lot of important information, including user names, passwords and email addresses for at least 100,000 users, along with other files pertaining to packages in the repository.

This is a list of all stolen data GitHub offered:

· A backup of skimdb.npmjs.com containing data from April 7, 2021, with the following information:
· An archive of user information from 2015. This contained npm usernames, password hashes, and email addresses for roughly 100,000 npm users.
· All private npm package manifests and package metadata as of April 7, 2021.
· A series of CSVs containing an archive of all names and version numbers (semVer) of published versions of all npm private packages as of April 10, 2022.
· Private packages from two organizations.

There’s some good news. The investigation revealed that the threat actor didn’t modify or publish new packages in the repositories. Furthermore, some plaintext user credentials available in the internal logs after the NPM login systems integrated into GitHub have been purged.

Of course, GitHub reset the credentials of all compromised accounts, and the organizations that had private packages stolen were notified immediately.

One of the biggest problems in modern cybersecurity is human behavior. People tend to reuse passwords on multiple online services. If you used the same password on NPM and other online services, make sure to change them across the board and switch to unique passphrases for each one.