An attack known as RepoJacking has the potential to disrupt millions of GitHub repositories, putting organizations and their customers at risk. If exploited, this vulnerability could allow for code execution on internal networks. Notable companies such as Google and Lyft are among the high-quality targets that are vulnerable to this attack.
A recent study conducted by AquaSec’s security team, “Nautilus,” found that approximately 2.95% of the 1.25 million GitHub repositories they examined were susceptible to RepoJacking. This means that a significant number of repositories are at risk of being compromised.
So how does the RepoJacking attack work? In this type of attack, a malicious actor registers a login and establishes a repository that was previously used by a company but has undergone a name change. This is not uncommon on GitHub, as companies often acquire or merge with other organizations, leading to changes in usernames and repository names.
GitHub typically employs redirects to prevent projects from breaking when they depend on code from renamed repositories. However, if the previous name is registered, the redirection becomes invalid. This allows an attacker to gain control of the repository and potentially inject malware or malicious code into the dependencies.
Alternatively, an attacker can take advantage of a situation where a repository’s ownership is transferred to another user, and the original account is removed. By creating an account with the old username, the attacker can control the repository and carry out malicious actions.
To gather a list of vulnerable repositories, threat actors can use services like GHTorrent to harvest GitHub metadata associated with public commits and pull requests. Given that GitHub has over 330 million repositories, the researchers involved in the study believe that millions of repositories may be susceptible to similar attacks.
An example highlighted by the researchers is the repository “Google/mathsteps,” which was previously owned by Socratic (socraticorg/mathsteps) before being acquired by Google in 2018. When users access the repository “socraticorg/mathsteps,” they are redirected to “google/mathsteps” as instructed by Google. However, if an attacker registers the “socraticorg” organization and repository, users following Google’s instructions will unknowingly clone the attacker’s repository instead.
GitHub has implemented safeguards against RepoJacking attacks, but reports suggest that these measures are not sufficient and can be circumvented easily. The current protections only apply to well-known projects, leaving lesser-known and more vulnerable projects exposed if they depend on the compromised repositories.
To mitigate the risk of RepoJacking attacks, it is essential to regularly check repositories for any links that may pull resources from external GitHub repositories. This is especially important for projects that rely on third-party dependencies such as Go modules, as these dependencies can change names at any time.
Furthermore, if a company undergoes a name change, it is crucial to continue owning the previous name, even if it is only as a placeholder. This prevents malicious actors from registering the old name and exploiting it for RepoJacking purposes.
In conclusion, RepoJacking poses a significant threat to GitHub repositories, potentially impacting millions of projects. Organizations and individuals must remain vigilant and take the necessary precautions to protect their repositories from this type of attack.