GitHub saved plaintext passwords of npm users in log files, post mortem reveals

Unrelated to the OAuth token attack, but still troubling as org reveals details of around 100,000 users were grabbed by the baddies


GitHub has revealed it stored a "number of plaintext user credentials for the npm registry" in internal logs following the integration of the JavaScript package registry into GitHub's logging systems.

The information came to light when the company today published the results of its investigation into April's unrelated OAuth token theft attack, where it described how an attacker grabbed data including the details of approximately 100,000 npm users.

The code shack went on to assure users that the relevant log files had not been leaked in any data breach; that it had improved the log cleanup; and that it removed the logs in question "prior to the attack on npm."

GitHub already sent out notifications for "known victims of third-party OAuth token theft" in April but today said it planned to "directly notify affected users of the plaintext passwords and GitHub Personal Access Tokens based on our available logs."

Credentials in plaintext, eh? How very last century.

The number of users affected and how long the plaintext storage took place was not mentioned, but we've asked Github for more information. GitHub completed its acquisition of NPM Inc on 15 April 2020. Techies have already taken to the Hacker News messaging board to detail emails they received from npm.

According to the postmortem report:

Following an internal discovery and additional investigation unrelated to the OAuth token attack, GitHub discovered a number of plaintext user credentials for the npm registry that were captured in internal logs following the integration of npm into GitHub logging systems.

It added:

While this logging of credentials goes against our security best practices, GitHub or npm did not experience a compromise or data breach that would have exposed these logs containing plaintext credentials.

What information was involved?

Internal finding of plaintext credentials in logs: npm access tokens and a small number of plaintext passwords used in attempts to sign in to npm accounts, as well as some GitHub Personal Access Tokens sent to npm services.

As for the attack first disclosed in April, at the root of the problem, according to GitHub, were stolen OAuth user tokens issued to two GitHub.com integrators; Heroku and Travis CI. So far, so well known – The Register put together some of the puzzle pieces in April.

Salesforce-owned Heroku noted that some of its private repos were accessed on April 9 before slamming the brakes on GitHub integration. That integration was restored earlier this week, according to the company's status page.

While Travis CI didn't think any customer data had been siphoned at the time, it still reissued all private customer keys and tokens for GitHub integration.

The attacker was able to use the stolen OAuth tokens to gain access to npm's AWS infrastructure. With that access, a backup of skimdb.npmjs.com from April 7, 2021 was grabbed. This contained an archive of user information from 2015 (npm usernames, password hashes and email addresses for approximately 100k users) and all private npm package manifests and package metadata as of April 7, 2021.

Private packages from two organizations where also pulled down, although GitHub did not name names.

While the data contained information such as READMEs, maintainer emails and version histories, it did not include actual package artifacts.

However, the hashed passwords do present a problem since the hashes were generated using PBKDF2 or salted SHA1 algorithms, according to GitHub. Things were tightened up using bcrypt from 2017. The passwords have been reset, and users can expect notifications to turn up at some point.

GitHub celebrated the publication of its findings by doing that most secure of things: falling over so users couldn't get access this morning. The majority of its services had a wobble from 0754 UTC. The incident was resolved just before 0900 UTC, according to the source shack's service status page. ®

Similar topics

Broader topics


Other stories you might like

  • Mystery of industry-targeting backdoored NPM JavaScript packages solved
    Yup, 'the intern' did it

    Malicious packages in the NPM Registry that security researchers for weeks believed were being used to stage supply-chain attacks against prominent industrial companies in Germany turned out to be part of a penetration test run by a cybersecurity company.

    Researchers at Snyk in late April published a blog post about a JavaScript package that stood out among others they had found because it contained both encrypted and obfuscated files.

    More recently, software maker JFrog and cybersecurity firm ReversingLabs this week released their own findings about the multiple malicious libraries in the NPM Registry that all used the same payload and belonged to the same malware family as the one analyzed by Snyk. The goal appeared to be to launch dependency-confusion attacks in which applications within German companies end up using, through a misconfiguration or something like that, malicious npm modules rather than legitimate packages with similar or plausible names. If successful, developers within specific corporations would be fooled into introducing backdoors into their code bases.

    Continue reading
  • So, what happened with GitHub, Heroku, and those raided private repos?
    Who knew what when and what did they do?

    Analysis GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.

    In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."

    Salesforce-owned Heroku confirmed someone compromised an OAuth token – presumably an internal staffer's token – to get into Heroku's GitHub account and rifle through, and potentially update, users' GitHub repositories "using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub."

    Continue reading
  • GitHub to require two-factor authentication for code contributors by late 2023
    Code locker has figured out it's a giant honeypot for miscreants planning supply chain attacks

    GitHub has announced that it will require two factor authentication for users who contribute code on its service.

    "The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."

    Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool. That malware made it into over 18,000 companies, around 100 of which were infected and attacked. GitHub has also had its own problems, such as when access to npm was compromised.

    Continue reading
  • Communication around Heroku security incident dubbed 'train wreck'
    Users claim lack of transparency following compromise of Github tokens

    Efforts by Salesforce-owned cloud platform Heroku to manage a recent security incident are turning into a bit of a disaster, according to some users.

    Heroku has run security incident notifications for 18 days and appears to have upset several of its customers due to a perceived lack of openness and communication.

    Continue reading

Biting the hand that feeds IT © 1998–2022