On April 12, 2022, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.
According to GitHub's investigation, between April 7-10, 2022, the attacker initially authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI. For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user’s organizations. Then, the attacker then selectively chose targets based on the listed organizations, listed the private repositories for user accounts of interest, and then proceeded to clone some of those private repositories.
