Source: Bleeping Computer
Summary
A recent analysis of 1.25 million GitHub repositories has found that about 2.95% are vulnerable to RepoJacking. With more than 300 million total GitHub repositories, it’s possible that as many as 9 million are vulnerable.
RepoJacking, also known as dependency repository hijacking, involves the re-registration and re-creation of a username and repository previously used by an organization that has since changed its name. This causes the dependencies of the target project to pull from the now actor-controlled repository, instead of the renamed repository, leading to potential supply chain attacks.
GitHub is aware of the issue and has implemented some defenses. However, they are limited and usually only apply to certain projects with high popularity and a certain number of clones.
Analysis
Although RepoJacking isn’t a new threat, the total number of vulnerable GitHub repositories was unknown until now, and that number is considerably high. RepoJacking can have severe repercussions if successfully used by a threat actor to support a supply chain attack. Over the last few years, supply chain attacks have been increasing and having a major effect on the cybersecurity industry.
For example, the Solar Winds supply chain attack, attributed to a Russian state-sponsored hacking group, impacted approximately 18,000 organizations worldwide. A RepoJacking attack could have the same consequences, should the threat actor successfully attack a popular repository.
Mitigation
Field Effect encourages project owners to minimize the resources pulled from external repositories as much as possible. For GitHub repository owners, we recommend maintaining control of old (or acquired) brands to lower your risk of dependency hijacking attacks. The same applies for domain names.
References
