An unknown attacker breached GitHub to download data from scores of private code repositories including that of npm — the world’s largest software registry with 75 billion downloads a month — the company has confirmed in a hugely troubling cybersecurity incident. GitHub says it and other affected companies were compromised after the attacker stole authentication tokens from two other upstream software firms.
GitHub Security confirmed the breach on April 18, saying it spotted unauthorized access to its own npm production infrastructure using a compromised AWS API key on April 12 as part of the evolving incident. (GitHub operates numerous microservices and databases underpinning production infrastructure for the npm registry; a JavaScript code hub and the largest software registry in the world, which it bought in 2020.)
GitHub said it saw “unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage… we assess that the attacker did not modify any packages or gain access to any user account data or credentials.”
SOURCE
GitHub Security confirmed the breach on April 18, saying it spotted unauthorized access to its own npm production infrastructure using a compromised AWS API key on April 12 as part of the evolving incident. (GitHub operates numerous microservices and databases underpinning production infrastructure for the npm registry; a JavaScript code hub and the largest software registry in the world, which it bought in 2020.)
GitHub said it saw “unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage… we assess that the attacker did not modify any packages or gain access to any user account data or credentials.”
SOURCE