An attacker who used stolen OAuth open standard authentication tokens from Heroku and Travis-CI was able to download private repositories and source code.
The OAuth user tokens are from the cloud-based Salesforce-owned Heroku programming language support platform, and the Travis-CI continuous integration service.
GitHub said that apart from private repositories belonging to dozens of victim organisations, the threat actor could be mining the data taken for secrets to pivot into other infrastructure.
Microsoft-owned GitHub said it detected the hacking after its security staffers discovered unauthorised access to its production npm infrastructure, with a compromised Amazon Web Services API key.
GitHub does not believe any packages were modified or that the attacker gained access to user account data or credentials.
Salesforce has acknowledged the hack and turned off GitHub integration with Heroku.
"To mitigate impact from potentially compromised OAuth tokens, we will revoke over the next several hours all existing tokens from the Heroku GitHub integration," Heroku said in a customer advisory.
"We are also preventing new OAuth tokens from being created until further notice. Your GitHub repositories will not be affected in any way by this action.
"Currently running Heroku applications will not be affected, but this will prevent you from deploying your apps from GitHub through the dashboard or via automation.
"Some other actions in the dashboard will no longer work due to this mitigation, and you will be unable to reconnect to GitHub even though you may see warning banners about reconnecting," Heroku said.
Affected applications currently include the four versions of the Heroku Dashboard and Travis-CI ID 9216.
GitHub is alerting all victims it can identify, and is asking users to review which OAuth applications they have authorised, or have access to their organisations, and remove the ones no longer needed.