Heroku Security Notification

[samcheng]

I used here:

https://github.com/organizations/<ORG_NAME>/settings/audit-l...

... but the real question is what would malicious activity look like, exactly?

[yeskia]

I see a heap of "downloaded a zip of repository" but I suspect that's Heroku CI or other CI tool running.

[all-the-lights]

Same. Most belong to 1 member of our team, but a few belong to others on the team. They started happening about 6 months ago (unless logs only go back 6 mo). Would really like to figure out what these are. I asked GH, they said it’s not involved with this breach, and haven’t yet answered my next question (who/what is it?)

[domh]

Yeah I see lots of the same. They seem to correspond with Heroku deploys? Anyone know if that happens when a valid heroku deploy occurs? Do they download a zip?

I've reached out to Heroku support to ask.

[heartbreak]

Normal Heroku usage doesn’t download a zip because it uses git directly, but I’ve seen plenty of CI tools download zips.

[all-the-lights]

Including Heroku CI? We don't use an external CI tool (or really any other integrations except GH), but I do see these download logs.

[heartbreak]

For what it's worth, elsewhere in this comment section someone posted that Github Support says the zip downloads weren't related to this incident. Reading between the lines, the compromised repos were probably accessed using normal git clone actions.

[all-the-lights]

That was me who posted that :) seems unrelated, but still hoping to get that figured out anyway.

[domh]

I thought as much. Maybe it is CircleCI then.

[andrelaszlo]

Please let us know if you get any info from them! :)