Over 15,000 Go module repositories on GitHub are vulnerable to repojacking attacks, a type of threat that takes advantage of GitHub username changes and deletions, as highlighted by research from VulnCheck. The study reveals that 9,000 repositories are susceptible due to GitHub username changes, while 6,000 are at risk because of account deletions, collectively affecting over 800,000 Go module versions. This attack method, a portmanteau of “repository” and “hijacking,” exploits the decentralized nature of Go modules, which are published to version control platforms like GitHub. The threat actor can create a repository with the same name as the pre-existing username, facilitating open-source software supply chain attacks.
GitHub has implemented a countermeasure called popular repository namespace retirement to prevent the creation of repositories with names of retired namespaces that have been cloned over 100 times before account renaming or deletion. However, this protection is insufficient for Go modules, which are cached by the module mirror, bypassing the need for direct interaction or cloning a repository.
The research emphasizes that mitigation of repojackings involving 15,000 GitHub accounts is a challenge that either Go or GitHub must address. Until a solution is implemented, developers are advised to stay vigilant about the modules they use and their repository’s state. In a related discovery, Lasso Security identified 1,681 exposed API tokens on Hugging Face and GitHub, including tokens associated with major companies like Google, Meta, Microsoft, and VMware. These exposed tokens could potentially be exploited for supply chain attacks, training data poisoning, and model theft. The findings underscore the need for robust security measures to protect against various threats in the open-source software development ecosystem.