GitHub: Stolen OAuth User Tokens Used to Steal Data
GitHub says that stolen OAuth user tokens that were initially issued to two third-party integrators have been used to download data from other organizations. GitHub has notified organizations that were compromised.
OAuth is a great tool to create "valet keys" that provide CI/CD tools with just the access needed to do their job. But they still need to be safeguarded. Make sure your tools are able to rotate these keys periodically. From time to time, review which tools have access to your accounts. Services supporting OAuth should make it easy to review which applications have been approved for access.
To further protect users, GitHub revoked the tokens associated with their and npm's use of the compromised Travis CI and Heroku Dashboard applications. The attackers believed to be mining private repositories downloaded using the pilfered OAuth tokens looking for opportunities to pivot into other systems using additional discovered credentials. With OAuth keys being an essential component of remote/cloud based services, their use is a risk you need to actively manage to prevent malfeasance. Make sure you're auditing, monitoring and appropriately expiring OAuth keys to minimize abuse.
Read more in
GitHub: Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators
Security Week: GitHub Warns of Private Repositories Downloaded Using Stolen OAuth Tokens
Bleeping Computer: GitHub: Attacker breached dozens of orgs using stolen OAuth tokens
SC Magazine: Threat actors that compromised two OAuth integrators could potentially penetrate cloud systems