GitHub Issues Security Alert After Spotting Misuse of Tokens Stolen from OAuth Integrators

GitHub issued a security alert Friday.
GitHub’s chief security officer wrote that on Tuesday, “GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm…”

We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14…

Looking across the entire GitHub platform, we have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps. Our analysis of other behavior by the threat actor suggests that the actors may be mining the downloaded private repository contents, to which the stolen OAuth token had access, for secrets that could be used to pivot into other infrastructure.

We are sharing this today as we believe the attacks may be ongoing and action is required for customers to protect themselves.

The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key. Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above. Upon discovering the broader theft of third-party OAuth tokens not stored by GitHub or npm on the evening of April 13, we immediately took action to protect GitHub and npm by revoking tokens associated with GitHub and npm’s internal use of these compromised applications.

We believe that the two impacts to npm are unauthorized access to, and downloading of, the private repositories in the npm organization on GitHub.com and potential access to the npm packages as they exist in AWS S3 storage.

At this point, we assess that the attacker did not modify any packages or gain access to any user account data or credentials. We are still working to understand whether the attacker viewed or downloaded private packages.

npm uses completely separate infrastructure from GitHub.com; GitHub was not affected in this original attack. Though investigation continues, we have found no evidence that other GitHub-owned private repos were cloned by the attacker using stolen third-party OAuth tokens.

Once GitHub identified stolen third-party OAuth tokens affecting GitHub users, GitHub took immediate steps to respond and protect users. GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users…. GitHub is currently working to identify and notify all of the known-affected victim users and organizations that we discovered through our analysis across GitHub.com. These customers will receive a notification email from GitHub with additional details and next steps to assist in their own response within the next 72 hours.
If you do not receive a notification, you and/or your organization have not been identified as affected.

You should, however, periodically review what OAuth applications you’ve authorized or are authorized to access your organization and prune anything that’s no longer needed.
You can also review your organization audit logs and user account security logs for unexpected or anomalous activity….

The security and trustworthiness of GitHub, npm, and the broader developer ecosystem is our highest priority. Our investigation is ongoing, and we will update this blog, and our communications with affected customers, as we learn more.

Read more of this story at Slashdot.

MS Symptoms May Have Been ‘Reversed’ In Immunotherapy Breakthrough

A new immunotherapy that targets cells infected with Epstein-Barr Virus (EBV) has halted the progression of multiple sclerosis (MS) in a small trial. Perhaps even more incredibly, in some patients, it is possible that symptoms of MS were actually reversed, though this was not fully identified in the most recent presentation of results (PDF). IFLScience reports: [S]ignificant evidence has linked infection of EBV and the eventual development of MS. […] Attempting to “transform treatment of Multiple Sclerosis,” Atara Biotherapeutics has developed an allogeneic T-cell therapy called ATA188. The concept is simple — when cells are infected with EBV, they express small proteins called antigens on the cell surface, and the immunotherapy contains immune cells that target and destroy them.

In a trial of 24 patients who received the therapy, 20 saw improvements or stability in their symptoms and no fatal or serious adverse effects were reported. Early brain scans suggest that some damaged nerve cells may have been “repaired” by the therapy in a process called remyelination, which could mean a reversal of damage caused by MS in the nervous system, but this has not yet been confirmed. While the results are extremely promising, it is an early Phase 1 trial with a small sample size and no placebo or control group, so it is unclear whether the results are significant at this stage. However, it is unlikely that this repair would occur naturally, suggesting the therapy is having a beneficial effect on some level.

Read more of this story at Slashdot.

ACE Shuts Down Massive Pirate Site After Locating Owner In Remote Peru

As part of its global anti-piracy mission, the Alliance for Creativity and Entertainment (ACE) has been trying to shut down Pelisplushd.net, a massive pirate streaming site with roughly 70 million visits per month. After tracking down its operator in the remote countryside of Peru, the anti-piracy group says the site is no more. TorrentFreak reports: In a statement published Wednesday, ACE officially announced that it was behind the closure of Pelisplushd.net. The anti-piracy group labeled the platform the second-largest Spanish-language ‘rogue website’ in the entire Latin American region with 383.5 million visits in the past six months and nearly 75 million visits in February 2022. In Mexico alone, the site had more visitors than hbomax.com, disneyplus.com and primevideo.com, a clear problem for those platforms which are all ACE members.

“This is a huge win for the ACE team based in Latin America as we work to protect the legitimate digital ecosystem throughout the region,” said Jan van Voorn, Executive Vice President and Chief of Global Content Protection for the Motion Picture Association. “The successful action against the operator of Pelisplushd.net was only made possible because of evidence that we gathered from previous operations conducted in other countries in Latin America. “This speaks volumes about ACE’s ability to crack current cases utilizing years of past gathered intelligence and highlights the global, strategic approach that determines our actions around the world.”

The operator of Pelisplushd is yet to be named but ACE reveals that after a positive identification, the anti-piracy group tracked him down to the “remote countryside of Peru.” That took place in March and soon after, ACE says the operator agreed to turn over his domains. As far as we can tell the main domain at Pelisplushd.net is not yet completely in ACE/MPA hands but a full transfer will probably take place later.

Read more of this story at Slashdot.

‘Club Penguin Rewritten’ Allegedly Shut Down By Disney, Website Seized By London Police

“Club Penguin Rewritten,” a popular remake of Club Penguin enjoyed by thousands of gamers, has been seized by the City of London Police, with three people in connection with the site’s shuttering reportedly arrested for allegedly distributing copyrighted material. “Over 140,000 users were members of a Discord server for the game until today, when every message on the Discord disappeared,” reports TechCrunch. From the report: In 2007, Disney purchased Club Penguin — the children’s RPG that served as my first introduction to online fandom — for a whopping $700 million. Even then, as a child with little context about tech industry acquisitions, the purchase seemed foreboding (at least my friends thought so on the Miniclip forums, where I fraudulently claimed to be 13). But eventually, those of us who were dedicated fans of virtual sledding games and dance parties grew out of it, and after once boasting 200 million users, the game was shut down due to lack of interest in 2017. Disney tried to shuttle remaining players to a new mobile game called Club Penguin Island, but it only lasted for a year. But ever since the end of Club Penguin — when the iceberg finally tipped in a strangely emotional moment — there have always been remakes out there for nostalgic adults to relive their days of collecting puffles, dancing in the pizza shop and speed-running bans.

Only one message on the Discord remains, posted early this morning by an admin: “CPRewritten is shutting down effective immediately due to a full request by Disney,” the admin said. “We have voluntarily given control over the website to the police for them to continue their copyright investigation.” TechCrunch reached out to the City of London Police and Disney to verify these claims but did not hear back before publication. In 2020, Disney shut down “Club Penguin Online,” another copy of the game that acquired over a million new players during the pandemic.

Read more of this story at Slashdot.

Russian Tech Industry Faces ‘Brain Drain’ As Workers Flee

mspohr shares a report from the New York Times: In early March, days after Russia invaded Ukraine and began cracking down on dissent at home, Konstantin Siniushin, a venture capitalist in Riga, Latvia, helped charter two planes out of Russia to help people flee. Both planes departed from Moscow, carrying tech workers from the Russian capital as well as St. Petersburg, Perm, Ekaterinburg and other cities. Together, the planes moved about 300 software developers, entrepreneurs and other technology specialists out of the country, including 30 Russian workers from start-ups backed by Mr. Siniushin. The planes flew south past the Black Sea to Yerevan, the capital of Armenia, where thousands of other Russian tech workers fled in the weeks after the invasion. Thousands more flew to Georgia, Turkey, the United Arab Emirates and other countries that accept Russian citizens without visas.

By March 22, a Russian tech industry trade group estimated that between 50,000 and 70,000 tech workers had left the country and that an additional 70,000 to 100,000 would soon follow. They are part of a much larger exodus of workers from Russia, but their departure could have an even more lasting impact on the country’s economy. The long-run impact may be more significant than the short-run impact,” said Barry Ickes, head of the economics department at Pennsylvania State University, who specializes in the Russian economy. “Eventually, Russia has to diversify its economy away from oil and gas, and it has to accelerate productivity growth. Tech was a natural way of doing that.” Before all this started, Russia had such a strong technology base,” [Artem Taganov, founder and chief executive of a Russian start-up called HintEd] said. “Now, we have a brain drain that will continue for the next five to 10 years.”

Read more of this story at Slashdot.

Amazon Workers Made Up Almost Half of All Warehouse Injuries Last Year

Amazon workers only make up a third of US warehouse employees, but in 2021, they suffered 49 percent of the injuries for the entire warehouse industry, according to a report by advocacy group Strategic Organizing Center (or SOC). The Verge reports: After analyzing data from the Occupational Safety and Health Administration (OSHA), the union coalition found that Amazon workers are twice as likely to be seriously injured than people who work in warehouses for other companies. The report considers “serious injuries” to be ones where workers either have to take time off to recover or have their workloads reduced, following OSHA’s report classification (pdf) of “cases with days away from work” and “cases with job transfer or restriction.” The data shows that, over time, the company has been shifting more toward putting people on light duty, rather than having them take time off. The report authors also note that Amazon workers take longer to recover from injuries than employees at other companies: around 62 days on average, versus 44 across the industry.

Amazon employees have said it’s not the work itself that’s particularly dangerous but rather the grueling pace the company’s automated systems demand. Amazon actually had workers go slower in 2020 to help combat COVID-19, which accounts for the notably lower injury rates that year. But, as the report notes, the injuries increased by around 20 percent between 2020 and 2021 as the company resumed its usual pace — though the injury rates for 2021 were still lower than they were in 2019. […] Unfortunately, this study’s results tell the same story we’ve been hearing for years. Even with its reduced injury rates in 2020, Amazon workers were still hurt twice as often as other warehouse workers, according to SOC. Further reading: Amazon Workers At 100 More Facilities Want To Unionize (Yahoo Finance)

Read more of this story at Slashdot.