Millions of enterprise software repositories on GitHub are currently at risk from a type of attack known as repojacking. This attack involves redirecting projects that are dependent on a specific repository to a malicious one instead. Researchers at Aqua Security recently uncovered this vulnerability and highlighted the risk it poses to organizations.
The issue stems from how GitHub handles dependencies when a user or organization changes the name of a project or transfers ownership to another entity. GitHub creates a link between the original repository name and the new one to avoid breaking code dependencies. This means that all projects dependent on the original repository are automatically redirected to the renamed one. However, if the old username is not adequately protected, an attacker can reuse it to create a trojanized version of the original repository. This allows the attacker to distribute malware to any project that relies on the repository.
Aqua Security researchers decided to investigate the prevalence of repositories on GitHub that are vulnerable to repojacking. They found that millions of such repositories, including those belonging to major companies like Google and Lyft, are present on the platform. Furthermore, attackers have easy access to tools like GHTorrent, which maintains a record of all public events on GitHub. With GHTorrent, attackers can harvest the names of repositories that organizations previously used, register the repository under the old username, and deliver malware to dependent projects.
Any project that directly references a GitHub repository is susceptible to this attack if the repository’s owner changes or deletes their username. Aqua Security researcher Yakir Kadkoda emphasized the importance of organizations claiming and maintaining their old usernames on GitHub to prevent attackers from exploiting them. He urged organizations to scan their code for GitHub links and references to identify repositories that could potentially be claimed by attackers.
GitHub has attempted to address this issue by preventing the creation of usernames and repositories that were previously owned and now redirect to other projects. Additionally, the platform implemented a mechanism to retire popular repository namespaces in an effort to mitigate the threat of repojacking. However, bypasses to these defenses have been discovered in recent years, rendering them unreliable.
Checkmarx, a cybersecurity company, found a vulnerability on GitHub related to repojacking. This flaw, known as “popular repository namespace retirement,” affected all renamed usernames on the platform. It allowed attackers to redirect traffic from renamed repositories to their own repositories. Repojacking occurs when a repository’s creator renames their username, leaving the old username available for registration.
To mitigate the risk of repojacking, organizations should scan their code, repositories, and dependencies for GitHub links. They should also check if these links directly refer to GitHub projects or if there are redirects pointing to repositories with different usernames or names. In cases where the available username matches an organization’s old username, they should claim it to prevent attackers from doing so. Maintaining old usernames on GitHub is an additional recommended measure.
Overall, repojacking poses a significant threat to enterprise software repositories on GitHub. Organizations must remain vigilant in protecting their GitHub assets and taking necessary precautions to prevent this type of supply chain attack.