Popular Posts

The Most Common Third-Party Cyber Gaps Revealed

4 Ways to See if You Are at Risk of a Vendor…

On April 15th, 2022, GitHub, a ubiquitous software development host owned by Microsoft, suffered a third-party breach. This post will tell you everything you need to know— from how to tell if you’re exposed, to how to respond and try to mitigate your risk exposure.
GitHub provides its customers with code repositories that hold all of their public and private source code. As of the end of 2021, GitHub claimed to have over 73 million users. GitHub holds repositories for open source providers, private companies and public companies.
On April 12th, GitHub discovered unauthorized access to its npm production environment by use of a compromised AWS API key. The unknown attacker(s) stole OAuth user tokens issued to two third-party OAuth integrators: Heroku (a Salesforce company) and Travis-CI. The attackers downloaded data from dozens of organizations, including npm.
It is still unknown how the attackers gained access to the tokens (which require customers to grant access); therefore, we cannot yet gauge the severity of this third-party breach. However, the potential damage of this breach is substantial. The attacker could exploit the stolen repository contents to learn corporate secrets and then use those secrets to gain access to Heroku and Travis-CI’s third-parties. Furthermore, in this classic supply-chain attack, the threat actor could continue to exploit GitHub for other companies’ access credentials.
No. Panorays is not using GitHub as our source control service nor do we leverage Heroku or TravisCI services.
Anyone using GitHub may be impacted by this compromise. The impact on the Intellectual Property of companies and the functionality of the products they provide to their customers could be severe.
Clearly, having visibility into and control over your third-party security is critical to maintaining a strong cyber posture. That’s why Panorays combines automated, dynamic security questionnaires with external attack surface assessments and business relationship context to provide you with a rapid, accurate view of supplier and fourth-party cyber risk. Our platform continuously monitors and evaluates your suppliers, sending you live alerts about any security changes or breaches to your third parties.
Want to learn more about how you can prevent third-party cyber breaches? Contact Panorays today to schedule a demo.