GitHub reported that a hacker was apparently exploiting a security vulnerability or
human error on 3rd-party apps Travis and Heroku.
The security vulnerability exposed the tokens,
allowing the hacker to steal the tokens and utilize them to enter private repositories on GitHub (including NPM)
so he managed to download those repositories – including all the code and information in them.
That means: Vulnerabilities in 3rd-party apps have caused code theft from GitHub
How could you prevent a similar hack to your git repo?
There are several different solutions – and you should implement them all:
1) Reduce permissions
If you use GitHub in the public cloud (github.com)and give 3rd-party vendors an Oauth access (the kind of tokens stolen) –
minimize the permissions you give third parties to access your information.
You should also go over the permissions they are requesting, and make sure that they are not too broad and permissive.
A common mistake is to give sweeping or overarching permissions.
The same is true when granting permissions to GitHub Apps (which generate tokens as well).
2) Add protective layers
You should also consider moving to GitHub / GitLab Enterprise on a private server
(on-premises / single tenant / self-managed) behind additional layers of protection such as firewall, SSO or Secure Remote Access,
or use authorized IP addresses only (in public cloud editions), which provide additional layers of protection against unauthorized users from around the world.
3) Protect Secrets
Beyond that – it is important that the 3rd-party vendor stores the tokens in a centralized Vault tool – Which would have made it very difficult for hackers to obtain the tokens (making it almost always unattainable).
If you use such third parties – check or ensure (as part of your supply chain) that they store it in Vault tools such as the Akeyless Vault (SaaS and a hybrid solution) or HashiCorp for closed networks.
The same is true for any app that gives third-party access permissions using tokens.