Millions of GitHub Repos Likely Vulnerable to RepoJacking
New research by AquaSec's Nautilus sheds light on the extent of RepoJacking, which, if exploited, may lead to code execution on organizations’ internal environments or on their customers’ environments.
AquaSec's security team 'Nautilus' analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% of them to be vulnerable to RepoJacking.
"By extrapolating this percentage to GitHub's entire repository base of more than 300 million, the researchers estimate that the issue affects approximately 9 million projects."
"RepoJacking is an attack where a malicious actor registers a username and creates a repository used by an organization in the past but which has since changed its name."
"Doing so results in any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware."
"GitHub knows about this possibility and implemented some defenses for RepoJacking attacks. However, AquaSec reports that the solutions have so far been incomplete and easily bypassed."
"Among the repositories found vulnerable to this attack we discovered organizations such as Google, Lyft and some that requested to remain anonymous. All were notified of this vulnerability and promptly mitigated the risks," wrote the researchers in a blog post.
"To mitigate the risk, we recommend taking the following steps:
1) Regularly check your repositories for any links that may fetch resources from external GitHub repositories, as references to projects like Go module can change its name anytime. 2) If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it."