DevOps platform CircleCI has announced that an malicious actor that successfully implanted malware on an internal engineer’s laptop was responsible for a recent security breach.
On January 4, CircleCI advised software developers that use their platform to rotate secrets and API tokens. In a post-mortem on the breach, published on January 13, the company offered a detailed description of the events that led to the attack.
CircleCI stated that it first became aware of the attack on December 29 when one of its customers reported “suspicious GitHub OAuth activity”.
An investigation was launched, involving CircleCI’s security team and GitHub, which revealed that an unauthorized third party had used malware deployed to an engineer’s laptop to steal a valid, 2FA-backed SSO session on or around December 16.
As a result of the attack, CircleCI has restricted employee access to its production systems and rebuilt its production environment with clean hosts, revoked project API tokens and rotated Bitbucket and GitHub OAuth tokens.