Millions of software repositories on GitHub are potentially vulnerable to the so-called attack RepoJacka new study has revealed.
This includes repositories from organizations like Google, Lyft, and to a few, the Massachusetts-based cloud-native security firm Aqua said in Wednesday’s report.
A supply chain vulnerability, also known as a dependency repository hijack, is a attack class which makes it possible to take over a retired organization or username and publish a trojan version from the repository to run malicious code.
“When a repository owner changes their username, a link is established between the old name and the new name for anyone who downloads dependencies from the old repository,” say researchers Ilay Goldman and Yakir Kadkoda. “However, anyone can create an old username and break this link.”
Alternatively, a similar scenario could arise where ownership of the repository is transferred to another user and the original account is deleted, allowing a bad actor to create an account with the old username.
Aqua says threat actors can leverage websites like GHTorrent to extract GitHub metadata associated with public commits and pull requests to compile unique repository lists.
An analysis of a subset of 1.25 million repositories for June 2019 revealed that a total of 36,983 repositories were vulnerable to RepoJacking, indicating a success rate of 2.95%.
With GitHub contains more than 330 million repositoriesfindings suggest that millions of repositories could be vulnerable to similar attacks.
One such repository is google/mathsteps, previously owned by Socrates (socraticorg/mathsteps), a company that was acquired by Google in 2018.
“When you access https://github.com/socraticorg/mathsteps, you are redirected to https://github.com/google/mathsteps so that eventually users will fetch Google’s repository,” the researchers said.
“However, since the socraticorg organization is available, an attacker can open the socraticorg/mathsteps repository and a user following Google’s instructions will clone the attacker’s repository instead. And because of this npm installation will cause arbitrary code execution on the user.”
This is not the first time such concerns have been raised. In October 2022, GitHub moved to close vulnerabilities that could be exploited to create malicious repositories and escalate supply chain attacks by avoiding deprecation of popular repository namespaces.
In order to reduce such risk, it is recommended that users periodically check their code for links that may fetch resources from external GitHub repositories.
“If you change your organization name, make sure you still have the previous name, even as a placeholder, to prevent attackers from creating it,” the researchers said.