Friday, November 15, 2024
HomeCyber Security NewsMillions of GitHub Repositories Are Vulnerable To RepoJacking

Millions of GitHub Repositories Are Vulnerable To RepoJacking

Published on

An attack called RepoJacking may potentially affect millions of GitHub repositories.

If abused, this vulnerability might result in code execution on the internal networks of organizations or on the networks of their customers. 

This includes the repositories of companies like Google, Lyft, and many others. It has many high-quality targets that are vulnerable to attack.

- Advertisement - SIEM as a Service

About 2.95% of the 1.25 million GitHub repositories examined by AquaSec’s security team, “Nautilus,” were vulnerable to RepoJacking.

How RepoJacking Attack Works?

RepoJacking is an attack in which a hostile actor registers a login and establishes a repository previously used by a company but whose name has subsequently changed.

On GitHub, username and repository name changes are frequent because companies often acquire or merge with another company to get new management, or they may decide to adopt a new brand name.

When this occurs, a redirection is made to prevent projects employing code from renamed repositories from breaking dependencies; however, if the previous name is registered, the redirection is rendered invalid.

repo

By doing this, any code or project that depends on the attacked project’s dependencies will retrieve those dependencies and other code from the attacker-controlled repository, which may include malware.

As an alternative, the same thing may occur if control of a repository is handed to another user and the original account is removed, enabling an attacker to start an account with the old username.

A threat actor may gather a list of distinct repositories using services like GHTorrent to harvest GitHub metadata linked to public commits and pull requests.

According to the information shared with Cyber Security News, the findings imply that millions of repositories may be susceptible to a similar assault, given that GitHub has over 330 million repositories.

One such repository is Google/mathsteps, formerly owned by Socratic (socraticorg/mathsteps), a business that Google purchased in 2018.

“When you access https://github.com/socraticorg/mathsteps, you are being redirected to https://github.com/google/mathsteps so eventually the user will fetch Google’s repository,” the researchers said.

“However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository, and users following Google’s instructions will clone the attacker’s repository instead.

And because of the npm install, this will lead to arbitrary code execution on the users.”

Millions of vulnerable repositories

GitHub has safeguards against RepoJacking attacks since it is aware of this risk. Reports indicate that the remedies provided thus far are insufficient and simple to get around.

Because GitHub, for instance, only shields the most well-known projects, the supply chain breach also affects the lesser-known, more susceptible projects that depend on them.

Also, a repository’s name is changed, and GitHub safeguards it with over 100 clones, a sign of malicious planning.

This protection does not cover projects that gained popularity after being given a new name or changing ownership.

Mitigation

  • Check your repositories regularly for any links that might pull resources from outside GitHub repositories, as references to projects like Go modules could, at any point, alter their names.
  • If you change your company’s name, be sure you still own the former name—even if it’s only a placeholder—to stop intruders from using it.

Manage and secure Your Endpoints Efficiently â€“ Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...