The intrusion took place last night, at about 8 pm (US Pacific coast) on Saturday, and was detected before the attackers could do any harm, the LineageOS team said in a statement released less than three hours after the incident.
The LineageOS team said the source code of the operating system was unaffected, so were any operating system builds that had been paused since April 30, due to an unrelated problem.
Also unaffected were signing keys, used to authenticate official OS distributions, as these hosts were stored separately from the main LineageOS infrastructure.
Developers at LineageOS said the hack took place after an unpatched vulnerability was used by the attacker to breach its Salt install.
Salt is an open-source framework that Saltstack usually uses to manage and automate servers within data centers, cloud server setups, or internal networks.
Cyber-security firm F-Secure revealed two major vulnerabilities in the Salt framework earlier this week which could be used to take over Salt installations.
The two vulnerabilities were CVE-2020-11651 (an authentication bypass) and CVE-2020-11652 (a directory traversal), which could allow attackers to bypass login procedures and execute code on Salt master servers left exposed on the internet when combined.
Sometime yesterday, assaults exploiting these two bugs began, according to reports from Salt server owners. Attackers have in some cases planted backdoors on hacked servers. They had deployed cryptocurrency miners in other instances.
There are currently more than 6,000 Salt servers left exposed online which, if left unpatched, can be exploited via this vulnerability. Earlier this week, patches for the Salt vulnerabilities were released. Normally, salt servers should be deployed behind a firewall and not left exposed on the internet.
Last night, the LineageOS team took down all of its servers to investigate the vulnerable servers incident and patch.
That marks the second hacking of a major operating system in the past year. Hackers breached the GitHub account of Canonical in July 2019 but the source code of Ubuntu was also unaffected.