Our documentation gives examples of the data returned from requests to these endpoints: The activity was conducted using the /user/repos and /orgs//repos GitHub API endpoints. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats which could be abused by an attacker. The repository listing activity was conducted by the attacker through abuse of third-party OAuth user tokens maintained by Heroku and Travis CI.
GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behavior using the compromised OAuth tokens issued to Travis CI and Heroku.įollowing this series of notifications, GitHub will have completed directly notifying each affected user for whom we were able to detect abuse using the stolen OAuth tokens.Ĭustomers should also continue to monitor Heroku and Travis CI for updates on their own investigations into the affected OAuth applications at:Īpupdate: GitHub has sent notifications for known victims of repository listing activity using stolen OAuth app tokens.Īs of 7:33 PM UTC on April 22, 2022, we’ve notified victims of this campaign whom we have identified as having repository details listed using stolen OAuth app tokens, but did NOT have repository contents downloaded. This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to selectively target for listing and downloading private repositories. The attacker then proceeded to clone some of those private repositories. The attacker listed the private repositories for user accounts of interest.ĥ.
The attacker then selectively chose targets based on the listed organizations.Ĥ.
For most people who had the affected Heroku or Travis CI OAuth apps authorized in their GitHub accounts, the attacker listed all the user’s organizations.ģ. The attacker authenticated to the GitHub API using the stolen OAuth tokens issued to Heroku and Travis CI.Ģ. GitHub’s analysis of the attacker’s behavior reveals the following activities carried out on using stolen OAuth app tokens:ġ. Microsoft authentication (AAD/MSA)ĭiagnostic summary: 7 passed, 0 skipped, 0 failed.Apupdate: Pattern of attacker activity on GitHub.Īs of 5:00 PM UTC on April 27, 2022, we are in the process of sending the final expected notifications to customers who had either the Heroku or Travis CI OAuth app integrations authorized in their GitHub accounts. Try to push fails and doesn't ask any credential C:\Users\lieve\AppData\Local\Temp\4884d047b3b90ccd697a4d7ec21be49d>git pushĬ:\Users\lieve\AppData\Local\Temp\4884d047b3b90ccd697a4d7ec21be49d>git credential-manager-core diagnose Remote: Total 9 (delta 0), reused 0 (delta 0), pack-reused 9
All I get is a remote: Repository not found.Ĭloning my gist C:\Users\lieve\AppData\Local\Temp>git clone Ĭloning into '4884d047b3b90ccd697a4d7ec21be49d'. Unfortunately, it's either not that simple or I messed up somewhere else. pushing would ask credentials (username/token).I assumed following simple workflow would suffice I'm trying to push my gist to github and trying to do it the right way by using the credential manager as per this answer