Friday, March 1, 2024

Millions of GitHub Repositories Are Vulnerable To RepoJacking

An attack called RepoJacking may potentially affect millions of GitHub repositories.

If abused, this vulnerability might result in code execution on the internal networks of organizations or on the networks of their customers. 

This includes the repositories of companies like Google, Lyft, and many others. It has many high-quality targets that are vulnerable to attack.

About 2.95% of the 1.25 million GitHub repositories examined by AquaSec’s security team, “Nautilus,” were vulnerable to RepoJacking.

How RepoJacking Attack Works?

RepoJacking is an attack in which a hostile actor registers a login and establishes a repository previously used by a company but whose name has subsequently changed.

On GitHub, username and repository name changes are frequent because companies often acquire or merge with another company to get new management, or they may decide to adopt a new brand name.

When this occurs, a redirection is made to prevent projects employing code from renamed repositories from breaking dependencies; however, if the previous name is registered, the redirection is rendered invalid.


By doing this, any code or project that depends on the attacked project’s dependencies will retrieve those dependencies and other code from the attacker-controlled repository, which may include malware.

As an alternative, the same thing may occur if control of a repository is handed to another user and the original account is removed, enabling an attacker to start an account with the old username.

A threat actor may gather a list of distinct repositories using services like GHTorrent to harvest GitHub metadata linked to public commits and pull requests.

According to the information shared with Cyber Security News, the findings imply that millions of repositories may be susceptible to a similar assault, given that GitHub has over 330 million repositories.

One such repository is Google/mathsteps, formerly owned by Socratic (socraticorg/mathsteps), a business that Google purchased in 2018.

“When you access, you are being redirected to so eventually the user will fetch Google’s repository,” the researchers said.

“However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository, and users following Google’s instructions will clone the attacker’s repository instead.

And because of the npm install, this will lead to arbitrary code execution on the users.”

Millions of vulnerable repositories

GitHub has safeguards against RepoJacking attacks since it is aware of this risk. Reports indicate that the remedies provided thus far are insufficient and simple to get around.

Because GitHub, for instance, only shields the most well-known projects, the supply chain breach also affects the lesser-known, more susceptible projects that depend on them.

Also, a repository’s name is changed, and GitHub safeguards it with over 100 clones, a sign of malicious planning.

This protection does not cover projects that gained popularity after being given a new name or changing ownership.


  • Check your repositories regularly for any links that might pull resources from outside GitHub repositories, as references to projects like Go modules could, at any point, alter their names.
  • If you change your company’s name, be sure you still own the former name—even if it’s only a placeholder—to stop intruders from using it.

Manage and secure Your Endpoints Efficiently – Free Download


Latest articles

CWE Version 4.14 Released: What’s New!

The Common Weakness Enumeration (CWE) project, a cornerstone in the cybersecurity landscape, has unveiled...

RisePro Stealer Attacks Windows Users Steals Sensitive Data

A new wave of cyber threats has emerged as the RisePro information stealer targets...

Golden Corral restaurant chain Hacked: 180,000+ Users’ Data Stolen

The Golden Corral Corporation, a popular American restaurant chain, has suffered a significant data...

CISA Warns Of Hackers Exploiting Multiple Flaws In Ivanti VPN

Threat actors target and abuse VPN flaws because VPNs are often used to secure...

BEAST AI Jailbreak Language Models Within 1 Minute With High Accuracy

Malicious hackers sometimes jailbreak language models (LMs) to exploit bugs in the systems so...

Hackers Hijack Anycubic 3D Printers to Display Warning Messages

Anycubic 3D printer owners have been caught off guard by a series of unauthorized...

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

Stellar Cyber, the innovator of Open XDR, today announced that RSM US – the leading provider...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles