Millions of GitHub Repositories Are Vulnerable To RepoJacking

An attack called RepoJacking may potentially affect millions of GitHub repositories.

If abused, this vulnerability might result in code execution on the internal networks of organizations or on the networks of their customers. 

This includes the repositories of companies like Google, Lyft, and many others. It has many high-quality targets that are vulnerable to attack.

About 2.95% of the 1.25 million GitHub repositories examined by AquaSec’s security team, “Nautilus,” were vulnerable to RepoJacking.

How RepoJacking Attack Works?

RepoJacking is an attack in which a hostile actor registers a login and establishes a repository previously used by a company but whose name has subsequently changed.

On GitHub, username and repository name changes are frequent because companies often acquire or merge with another company to get new management, or they may decide to adopt a new brand name.

When this occurs, a redirection is made to prevent projects employing code from renamed repositories from breaking dependencies; however, if the previous name is registered, the redirection is rendered invalid.

By doing this, any code or project that depends on the attacked project’s dependencies will retrieve those dependencies and other code from the attacker-controlled repository, which may include malware.

As an alternative, the same thing may occur if control of a repository is handed to another user and the original account is removed, enabling an attacker to start an account with the old username.

A threat actor may gather a list of distinct repositories using services like GHTorrent to harvest GitHub metadata linked to public commits and pull requests.

According to the information shared with Cyber Security News, the findings imply that millions of repositories may be susceptible to a similar assault, given that GitHub has over 330 million repositories.

One such repository is Google/mathsteps, formerly owned by Socratic (socraticorg/mathsteps), a business that Google purchased in 2018.

“When you access https://github.com/socraticorg/mathsteps, you are being redirected to https://github.com/google/mathsteps so eventually the user will fetch Google’s repository,” the researchers said.

“However, because the socraticorg organization was available, an attacker could open the socraticorg/mathsteps repository, and users following Google’s instructions will clone the attacker’s repository instead.

And because of the npm install, this will lead to arbitrary code execution on the users.”

GitHub has safeguards against RepoJacking attacks since it is aware of this risk. Reports indicate that the remedies provided thus far are insufficient and simple to get around.

Because GitHub, for instance, only shields the most well-known projects, the supply chain breach also affects the lesser-known, more susceptible projects that depend on them.

Also, a repository’s name is changed, and GitHub safeguards it with over 100 clones, a sign of malicious planning.

This protection does not cover projects that gained popularity after being given a new name or changing ownership.

Mitigation

• Check your repositories regularly for any links that might pull resources from outside GitHub repositories, as references to projects like Go modules could, at any point, alter their names.
• If you change your company’s name, be sure you still own the former name—even if it’s only a placeholder—to stop intruders from using it.

Manage and secure Your Endpoints Efficiently – Free Download