What GitHub’s Latest Leak Reveals About Plaintext Credential Risks

GitHub’s recent security incident is not directly linked to the OAuth token theft attacks, but it has exposed the plaintext credentials of over 100,000 npm users.

After integrating the npm package registry into its logging system, GitHub stored portions of the npm registry’s user credentials—including access tokens and some plaintext passwords—in internal logs.

The company disclosed that the leaked data contains usernames, password hashes, email addresses, and private npm package metadata for roughly 100 k users.

GitHub assures that the log files have not been externally leaked, has improved its log‑cleaning mechanisms, and removed the problematic logs before the npm‑related attack.

In April, GitHub notified known third‑party OAuth token theft victims and plans to directly inform affected users about exposed plaintext passwords and personal access tokens.

The breach also revealed that attackers used stolen OAuth tokens to access npm’s AWS infrastructure, capturing a backup of skimdb.npmjs.com that includes a 2015 archive of user information and all private package listings up to April 7 2021.

“After internal discovery unrelated to the OAuth token attack, GitHub found many plaintext user credentials for the npm registry captured in internal logs after integrating npm into GitHub’s logging system. Although this violates our security best practices, neither GitHub nor npm have observed any abuse or data leakage of these logs.”

The exposed files contain npm access tokens, a few plaintext passwords used in login attempts, and GitHub personal access tokens sent to the npm service. The original OAuth token theft originated from compromised tokens of Heroku and Travis CI, two GitHub integrators.

GitHub’s response included a temporary service outage, which was resolved by 09:00 UTC, and the company reiterated that bcrypt hashing has been prohibited since 2017.