The security team ‘Nautilus’ from AquaSec has issued a warning about a potential vulnerability in millions of GitHub repositories, referred to as “RepoJacking.” RepoJacking, or dependency repository hijacking, involves attackers registering old usernames and repositories that were previously used by organizations but have since changed their name. Nautilus analyzed a sample of 1.25 million GitHub repositories and identified 2.95% of them as vulnerable to RepoJacking. Extrapolating this percentage to GitHub’s entire repository base of over 300 million, the researchers estimate that around 9 million projects may be affected.
This vulnerability could lead to supply chain attacks, allowing malicious actors to deploy malware by manipulating dependencies. The risk of RepoJacking arises when organizations undergo changes such as new management through acquisition, merger, or rebranding, leading to username and repository name changes on GitHub. To prevent breaking dependencies for projects using code from repositories with name changes, GitHub creates redirections.
However, if an attacker registers the old name, the redirection becomes invalid. In a RepoJacking attack, the malicious actor registers the old username and creates a repository, causing projects or code relying on the dependencies of the attacked project to fetch code and dependencies from the attacker-controlled repository, potentially exposing users to malware. This highlights the need for increased awareness and security measures to protect against such supply chain vulnerabilities in the software development ecosystem.
Reference:
