GitHub published the results of an analysis of the attack, as a result of which on April 12, attackers gained access to cloud environments in the Amazon AWS service used in the infrastructure of the NPM project. Analysis of the incident showed that the attackers gained access to backup copies of the skimdb.npmjs.com host, including a database backup with credentials for approximately 100 thousand NPM users as of 2015, including password hashes, names and email.
Password hashes were created using the salted PBKDF2 or SHA1 algorithms, which were replaced in 2017 by the more brute force-resistant bcrypt. Once the incident was identified, the affected passwords were reset and users were notified to set a new password. Since mandatory two-factor verification with email confirmation has been included in NPM since March 1, the risk of user compromise is assessed as insignificant.
In addition, all manifest files and metadata of private packages as of April 2021, CSV files with an up-to-date list of all names and versions of private packages, as well as the contents of all private packages of two GitHub clients (names are not disclosed) fell into the hands of the attackers. As for the repository itself, analysis of traces and verification of package hashes did not reveal the attackers making changes to NPM packages or publishing fictitious new versions of packages.
The attack took place on April 12 using stolen OAuth tokens generated for two third-party GitHub integrators, Heroku and Travis-CI. Using the tokens, the attackers were able to extract from private GitHub repositories the key to access the Amazon Web Services API, used in the NPM project infrastructure. The resulting key allowed access to data stored in the AWS S3 service.
Additionally, information was disclosed about previously identified serious confidentiality problems when processing user data on NPM servers - the passwords of some NPM users, as well as NPM access tokens, were stored in clear text in internal logs. During the integration of NPM with the GitHub logging system, the developers did not ensure that sensitive information was removed from requests to NPM services placed in the log. It is alleged that the flaw was fixed and the logs were cleared before the attack on NPM. Only certain GitHub employees had access to the logs, which included public passwords.
Source: opennet.ru