Saturday, April 13, 2024
HomeSECURITYOver 9 million GitHub repositories vulnerable to RepoJacking attacks

Over 9 million GitHub repositories vulnerable to RepoJacking attacks


Over 9 million GitHub repositories vulnerable to RepoJacking attacks

Attackers can easily clone old repositories and break dependency redirects.

Over 9 million repositories on GitHub are at risk of dependency hijacking, also known as “RepoJacking”, which can help attackers carry out supply chain attacks that affect a large number of users. About it warns security team AquaSec “Nautilus”, which analyzed a huge selection of repositories on GitHub.

Researchers estimate that only 2.95% of all GitHub repositories are vulnerable to RepoJacking, but if you transfer this percentage to the entire repository base, which is more than 300 million, then the problem affects approximately 9 million projects. And this number no longer seems harmless.

Username and repository name changes are a common occurrence on GitHub, as many organizations can effectively cease to exist as a result of an acquisition, merger, or rebranding. When this happens, a redirection is created within the old project to avoid breaking dependencies for other projects using code from repositories that have changed their name. However, if someone registers the old name, then this redirect becomes invalid.

RepoJacking is an attack in which an attacker registers a username and creates a repository that has been used by an organization in the past. As a result, any project or code that relies on the dependencies of the attacked project will receive dependencies and code from the repository controlled by the attacker, which may contain malicious code.

GitHub is aware of this vulnerability in their platform and has implemented some protection against RepoJacking attacks. However, AquaSec researchers report that these solutions are not 100% secure as they can be easily bypassed.

For example, GitHub only protects very popular projects, but they may use a dependency from a less popular vulnerable repository that is not covered by such protection. So supply chain compromise affects these projects too.

GitHub also protects repositories with more than 100 clones a week before the name change, indicating malicious preparations. However, this protection does not cover projects that have become popular after they have been renamed or ownership has been transferred.

To highlight the importance of the issue, AquaSec scanned well-known organizations for vulnerable repositories and found vulnerabilities in repositories managed by nothing less than Google.

In Google’s case, the “readme” file containing instructions for building the fairly popular “Mathsteps” project pointed to a GitHub repository owned by Socratic, which Google acquired and assimilated in 2018.

Since Socratic no longer exists, as well as its corresponding repository, an attacker can clone this repository to break the redirect. And users following the readme instructions could inadvertently download malicious code from a fake repository.

Also, because the instructions included the “npm install” command for the dependency, the attacker’s code could achieve arbitrary execution on unsuspecting users’ devices.

Unfortunately, the risk of RepoJacking is widespread, difficult to eliminate, and can have serious consequences for organizations and users. Project owners should minimize the resources they get from external repositories as much as possible.

Also, consider maintaining control of legacy or acquired brand repositories to prevent dependency hijacking attacks on yourself and your customers.

Source link


Please enter your comment!
Please enter your name here

Most Popular