GitHub is notifying known victims of an ongoing attack using stolen third-party OAuth user tokens.

OAuth user tokens maintained by Heroku and Travis CI were stolen and abused by an unauthorised party to download data from dozens of organisations, including npm.

Mike Hanley, Chief Security Officer at GitHub, wrote in a blog post:

“We have high confidence that compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and...