Credential Attackshigh

GitHub Token Theft via Travis CI: CI/CD Access Exposes Private Repository Secrets

Heroku and Travis CI tokens stored in GitHub Actions logs and repositories were stolen, allowing attackers to access private GitHub repositories for npm, PyPI, and numerous enterprises — demonstrating how CI/CD tokens are the new passwords.

GitHub / npm / Heroku / Travis CI·2022·2 min read

Background

In April 2022, GitHub notified npm that a GitHub Personal Access Token (PAT) for npm had been stolen and used to access private repositories. Investigation revealed that OAuth tokens from CI/CD providers Heroku and Travis CI had been compromised and used systematically to access private GitHub repositories.

The Attack

Attackers obtained OAuth tokens issued to Heroku and Travis CI for their GitHub integrations. These tokens had "repo" scope access — they could read and write all private repositories of any GitHub user or organisation that had authorised the CI integrations. Attackers used the tokens to enumerate and clone private repositories, searching for secrets, source code, and deployment configurations. npm's private repositories were accessed, resulting in the disclosure of private package metadata. The tokens were obtained through either a breach of Heroku/Travis CI's internal systems or through a compromise of the token storage.

Response

GitHub revoked all affected OAuth tokens. Heroku and Travis CI invalidated and rotated all GitHub integration tokens. GitHub published detailed guidance on OAuth token scope restriction. npm audited all accessed repositories for leaked secrets. The incident prompted GitHub to release fine-grained Personal Access Tokens with repository-specific scope.

Outcome

The scope of access — any private repository of any user who had installed the Heroku or Travis CI GitHub apps — was vast. The incident drove adoption of OIDC-based, short-lived tokens for CI/CD GitHub integration as an alternative to long-lived OAuth tokens.

Key Takeaways

  1. OAuth tokens with broad repository access are high-value targets — restrict scopes to the minimum required
  2. Use short-lived OIDC tokens for CI/CD GitHub integration instead of long-lived OAuth tokens
  3. Audit all third-party GitHub app OAuth token grants and revoke those no longer in use
  4. Rotate all secrets in any repository that was accessed during a CI/CD token compromise

How to Prevent This

All guides
intermediate

Treat OAuth token scopes as a security boundary, not a convenience setting

OAuth tokens with broad scopes are high-value targets. When Heroku and Travis CI OAuth tokens were stolen in 2022, they had been granted full repository access to every GitHub user who had installed those integrations — enabling bulk cloning of private code. Restrict OAuth app scopes to the minimum required. Prefer short-lived tokens via OIDC over long-lived OAuth tokens for CI/CD integrations. Conduct quarterly audits of all OAuth apps connected to your GitHub, Google Workspace, or other identity provider and revoke unused apps immediately.

See: GitHub Token Theft via Travis CIAuthentication
OAuth tokensGitHubCI/CDprivate repositoriestoken scope

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks