{
  "generated": "2026-04-28T16:33:37.600753+00:00",
  "count": 4,
  "items": [
    {
      "appname": "Heroku Dashboard",
      "appid": "heroku dashboard",
      "metadata_category": "malicious",
      "metadata_severity": "critical",
      "metadata_comment": "Historical IOC. April 2022 breach: GitHub disclosed two OAuth App registrations under this exact name (numeric OAuth App IDs 145909 and 628778) had their user tokens stolen and used to download private repos from dozens of orgs including npm. Heroku/GitHub revoked all tokens April 13-16 2022; Heroku stopped issuing new tokens from this integration. GitHub audit logs surface the application name (oauth_application_name) for oauth_authorization.* and oauth_access.* events but not the numeric ID; match by name. Hunt historical org audit logs for any oauth_authorization.create or oauth_access.generate events tied to this app name to assess past exposure.",
      "metadata_reference": "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/ | https://github.com/oauthsentry/oauthsentry.github.io/blob/main/data/github/curated_seed.csv",
      "service": "github",
      "_provenance": "github_curated_seed"
    },
    {
      "appname": "Heroku Dashboard - Classic",
      "appid": "heroku dashboard - classic",
      "metadata_category": "malicious",
      "metadata_severity": "critical",
      "metadata_comment": "Historical IOC. April 2022 breach (numeric OAuth App ID 363831). Same incident and revocation as Heroku Dashboard. Match by oauth_application_name in audit logs.",
      "metadata_reference": "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/ | https://github.com/oauthsentry/oauthsentry.github.io/blob/main/data/github/curated_seed.csv",
      "service": "github",
      "_provenance": "github_curated_seed"
    },
    {
      "appname": "Heroku Dashboard - Preview",
      "appid": "heroku dashboard - preview",
      "metadata_category": "malicious",
      "metadata_severity": "critical",
      "metadata_comment": "Historical IOC. April 2022 breach (numeric OAuth App ID 313468). Same incident and revocation as Heroku Dashboard. Match by oauth_application_name in audit logs.",
      "metadata_reference": "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/ | https://github.com/oauthsentry/oauthsentry.github.io/blob/main/data/github/curated_seed.csv",
      "service": "github",
      "_provenance": "github_curated_seed"
    },
    {
      "appname": "Travis CI",
      "appid": "travis ci",
      "metadata_category": "malicious",
      "metadata_severity": "critical",
      "metadata_comment": "Historical IOC. April 2022 breach (numeric OAuth App ID 9216): GitHub disclosed OAuth tokens issued to this app were stolen via a Heroku-side compromise and used to access private repos. Travis CI revoked all authorization keys and tokens April 15 2022. Match by oauth_application_name in audit logs (numeric ID is not surfaced in OAuth-lifecycle audit events).",
      "metadata_reference": "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/ | https://github.com/oauthsentry/oauthsentry.github.io/blob/main/data/github/curated_seed.csv",
      "service": "github",
      "_provenance": "github_curated_seed"
    }
  ]
}