Checkmarx Supply Chain Security team has shared its findings on a new flaw discovered in GitHub that allows attackers to take control of repositories and infect codes and apps with malware. Researchers dubbed it a high-severity flaw in GitHub.

Findings Details

According to researchers, the attacker can use a technique called RepoJacking and control a GitHub repository by exploiting a logical flaw in the architecture, making the renamed users vulnerable to the attack. In fact, all renamed usernames on the platform were vulnerable to this flaw. This includes 10,000 packages on the Swift, Go, and Packagist package managers.

“The practical meaning of this is that thousands of packages can immediately be hijacked and start serving malicious code to millions of users and many applications,” researchers noted.

The bug was fixed by GitHub in its famous “repository namespace retirement” feature. However, this tool is also vulnerable to being targeted by attackers, researchers noted. This tool was created by GitHub to prevent RepoJacking.

What is the Issue?

GitHub repositories provide unique URLs to their creator’s user account. If the user decides to rename their account, a new URL will be created. On the other hand, GitHub will redirect traffic from the original URL of the repository.

In RepoJacking, renamed repository URLs traffic is hijacked and routed to the attacker’s repository by exploiting a logical flaw. This flaw can breach the original redirect. A GitHub repository becomes vulnerable to RepoJacking when the creator decides to rename the username and the old username remains available for registration.

Hence, an attacker can create a new GitHub account with the same combination to match the old repository URL.

“We have identified over 10,000 packages in those package managers using renamed usernames and are at risk of being vulnerable to this technique in case a new bypass is found,” Checkmarx blog post read.

RepoJacking Gaining Momentum

Checkmarx’s security researcher and team leader, Aviad Gershon, revealed that earlier this year, his team observed an increase in the use of the RepoJacking technique. This indicates that malicious actors are trying to evolve their methodologies to leverage credible open-source packages in the simplest ways while ensuring maximum impact. The security fraternity must work together proactively to detect and remediate flaws before threat actors do.

In conclusion, millions of users of thousands of projects rely on open-source libraries and code repositories. That’s what makes them an attractive target for attackers. If they can control a GitHub repository and inject malicious code into an otherwise trusted project, they can easily infect thousands of devices.

  1. GitHub Will Now Support Security Keys for SSH Git Operations
  2. Thousands of GitHub Repositories Cloned in Supply Chain Attack
  3. Hackers use Github bot to steal $1,200 in ETH within 100 seconds
  4. Hackers spoof commit metadata to create false GitHub repositories
  5. GitHub: Hackers Stole OAuth Access Tokens to Target Dozens of Firms

Posted by Charlie