Cyber Incident Victim: DeepSource
Date:
Apr 2020
Location:
United States of America
Summary
DeepSource, a provider of automated static code analysis tools for major repositories, experienced a security breach when an employee fell victim to the Sawfish phishing campaign, resulting in stolen GitHub credentials. GitHub detected unusual activity from the company's users, prompting immediate rotation of all user tokens, client secrets, private keys, and employee credentials with production access. The attackers exploited compromised credentials to access private repositories and create persistent access tokens, targeting accounts without hardware-based two-factor authentication. The startup publicly disclosed the incident after GitHub's privacy restrictions prevented sharing specific user details, notified all users, and announced plans for a security bug bounty program to identify vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The DeepSource incident began when GitHub detected malicious activity linked to the startup's GitHub app in early July 2020, notifying DeepSource on the morning of July 11. GitHub's security team observed unusual requests originating from DeepSource users' accounts, triggering an investigation into potentially unauthorized access. DeepSource responded within two hours by rotating all user tokens, client secrets, private keys, and employee credentials for personnel with production system access. The compromise stemmed from an employee falling victim to the Sawfish phishing campaign, a targeted operation active since April 2020 that impersonated GitHub login pages to harvest credentials and time-based one-time passwords (TOTP). Attackers used stolen credentials to create personal access tokens and authorize OAuth applications, maintaining persistence even if victims changed passwords. GitHub confirmed the employee compromise on July 16 but could not disclose affected user details due to privacy policies, prompting DeepSource to publicly disclose the incident while awaiting GitHub's investigation completion.
DeepSource notified all users via email on July 20, 2020, revealing that attackers had downloaded private repositories—including those belonging to organizational accounts and collaborators—during the breach. The startup announced plans to launch a security bug bounty program to identify vulnerabilities in its systems. GitHub's prior April 2020 advisory about Sawfish had warned that attackers specifically bypassed accounts using TOTP-based 2FA, though hardware security key users remained unaffected. The incident impacted high-profile clients including Intel, NASA, Slack, and Uber, though the full scope of compromised repositories remained unclear due to GitHub's restricted disclosure. DeepSource directed affected users to request access logs from GitHub to identify suspicious downloads, while GitHub's Security Incident Response Team continued investigating credential misuse patterns observed since the campaign's inception.