DeepSource Says Hackers Compromised Its GitHub Application

Automated code review tool provider DeepSource this week announced that it reset tokens, secrets, private keys, and employee credentials after being informed that its GitHub application was compromised.

Designed to help developers identify security flaws, bug risks, and performance issues during code review, DeepSource also provides integration with GitHub to allow app authors get started with code analysis fast.

On Tuesday, DeepSource announced that, on July 11, the GitHub Security Team informed them of potentially malicious activity related to the DeepSource GitHub application, and that precautionary measures to limit potential access to resources were taken immediately.

“By 7AM UTC, we had rotated all user tokens, client secrets and private keys. Since we didn’t know the origin of the attack, we also rotated all credentials and keys of employees who had access to production systems. Through internal investigation, we have not identified any unusual breach or behaviour, and have concluded that the DeepSource infrastructure has not been breached,” the startup announced.

Starting mid-June, the GitHub Security team observed numerous requests from unusual IP addresses for DeepSource users, but was not sure that a compromise had occurred, despite the anomalous traffic.

Following a deeper investigation, however, GitHub determined that hackers managed to compromise the GitHub account of one of DeepSource’s employees, as part of the Sawfish phishing campaign that was detected earlier this year.

Thus, the attackers managed to access credentials for the DeepSource GitHub app, the startup says.

“Unfortunately, GitHub’s privacy policy prevents them from sharing the affected user list with us, so we are disclosing this issue publicly while waiting for GitHub to complete their investigation. Our understanding is GitHub will notify the directly affected users as per their policies,” DeepSource notes.

Users who would like to receive additional information on repository downloads and other account activity to identify suspicious behavior can head to this page and ask GitHub for the necessary logs.

DeepSource says that it has already engaged with industry security advisors and that it has taken measures to improve policies and security, including through conducting security training for its employees.

“Additionally we have started work towards gaining the SOC 2 Type 2 compliance certification, which will provide a path for third party auditors to ensure that DeepSource’s security practice exceeds industry standards,” the company announced.

To further improve security, DeepSource plans on launching a bug bounty program in the near future, to identify weaknesses in its assets, even if this incident is not the result of a vulnerability in the DeepSource application itself.

The startup also sent notifications to all of its users via email to inform them about the security incident.

Related: GitHub Warns Users of Sophisticated Phishing Campaign

Related: Cloud Company Blackbaud Pays Ransomware Operators to Avoid Data Leak

Related: Hackers Accessed, Downloaded Twitter User Data in Recent Attack