How Stolen OAuth Tokens Let Attackers Access Private GitHub Repositories

GitHub disclosed on April 15 that attackers were using stolen OAuth user tokens to download data from private repositories.

The breach was first detected on April 12, when the attackers leveraged OAuth applications maintained by third‑party CI/CD services Heroku and Travis‑CI (including npm) to access and steal data from dozens of organizations.

GitHub’s CSO Mike Hanley said the tokens were not obtained by compromising GitHub itself; instead, the attackers likely harvested them from the third‑party services, then used the tokens to download private repository contents for further exploitation.

The compromised OAuth applications included several Heroku Dashboard instances (IDs 145909, 628778, 313468, 363831) and Travis CI (ID 9216).

GitHub’s security team also observed that on April 12 attackers used leaked AWS API keys to gain unauthorized access to GitHub’s npm production infrastructure, possibly after stealing OAuth tokens from multiple private npm repositories. GitHub revoked the affected tokens and took steps to protect data on April 13.

GitHub believes no npm packages were altered, no user account data or credentials were exposed, and there is no evidence that the stolen tokens were used to clone other private repositories.

The investigation continues, and GitHub has notified all affected users and organizations.