Saturday, June 15, 2024

Millions of GitHub Repositories Are Vulnerable To RepoJacking

An attack called RepoJacking may potentially affect millions of GitHub repositories.

If abused, this vulnerability might result in code execution on the internal networks of organizations or on the networks of their customers. 

This includes the repositories of companies like Google, Lyft, and many others. It has many high-quality targets that are vulnerable to attack.

About 2.95% of the 1.25 million GitHub repositories examined by AquaSec’s security team, “Nautilus,” were vulnerable to RepoJacking.

How RepoJacking Attack Works?

RepoJacking is an attack in which a hostile actor registers a login and establishes a repository previously used by a company but whose name has subsequently changed.

On GitHub, username and repository name changes are frequent because companies often acquire or merge with another company to get new management, or they may decide to adopt a new brand name.

When this occurs, a redirection is made to prevent projects employing code from renamed repositories from breaking dependencies; however, if the previous name is registered, the redirection is rendered invalid.


By doing this, any code or project that depends on the attacked project’s dependencies will retrieve those dependencies and other code from the attacker-controlled repository, which may include malware.

As an alternative, the same thing may occur if control of a repository is handed to another user and the original account is removed, enabling an attacker to start an account with the old username.

A threat actor may gather a list of distinct repositories using services like GHTorrent to harvest GitHub metadata linked to public commits and pull requests.

According to the information shared with Cyber Security News, the findings imply that millions of repositories may be susceptible to a similar assault, given that GitHub has over 330 million repositories.

One such repository is Google/mathsteps, formerly owned by Socratic (socraticorg/mathsteps), a business that Google purchased in 2018.

“When you access, you are being redirected to so eventually the user will fetch Google’s repository,” the researchers said.

“However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository, and users following Google’s instructions will clone the attacker’s repository instead.

And because of the npm install, this will lead to arbitrary code execution on the users.”

Millions of vulnerable repositories

GitHub has safeguards against RepoJacking attacks since it is aware of this risk. Reports indicate that the remedies provided thus far are insufficient and simple to get around.

Because GitHub, for instance, only shields the most well-known projects, the supply chain breach also affects the lesser-known, more susceptible projects that depend on them.

Also, a repository’s name is changed, and GitHub safeguards it with over 100 clones, a sign of malicious planning.

This protection does not cover projects that gained popularity after being given a new name or changing ownership.


  • Check your repositories regularly for any links that might pull resources from outside GitHub repositories, as references to projects like Go modules could, at any point, alter their names.
  • If you change your company’s name, be sure you still own the former name—even if it’s only a placeholder—to stop intruders from using it.

Manage and secure Your Endpoints Efficiently – Free Download


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles