A vulnerability in GitHub repos allows attackers to deploy supply chain attacks that could impact a large number of users, according to researchers.
New research by Aqua Security shows that 9 million of GitHub repositories are potentially vulnerable to an attack dubbed “RepoJacking”. The researchers say that if exploited, the vulnerability may lead to code execution on organizations’ internal environments or on their customers’ environments.
What is RepoJacking?
RepoJacking can occur whenever a GitHub user changes their name, for example, when an organisation goes through an acquisition or merger or adopts a new brand name. To avoid breaking code dependencies in GitHub, the system creates a link between the older name and the new name, redirecting the old name to the new one. Problems arise, however, if someone registers the old name, because that redirection link becomes invalid.
A “RepoJacker” can register a username and create a repository used by the old name of an organization. Any project or code that relies on the dependencies of the attacked project will then fetch dependencies and code from the attacker-controlled repository, which could contain malware.
“Highly popular targets” identified
Ilay Goldman and Yakir Kadkoda, two researchers at Aqua’s Nautilus team, detailed their findings in a blog post this week. “As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular targets”, they explained.
Indeed, among the repositories found vulnerable to this attack were organizations such as Google and Lyft. All were notified of this vulnerability and promptly mitigated the risks, according to the researchers.
All told, the Aqua research team found that 2.95% of the repositories they studied were vulnerable to RepoJacking. Given that GitHub has 300 million repositories, that means 9 million projects are vulnerable.
How to mitigate the risk
The Aqua Nautilus team recommends regularly checking repositories for any links that may fetch resources from external GitHub repositories, as references to projects like Go module can change their name anytime.
In addition: “If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it”.