AquaSec analyzed a sample of 1% of GitHub repositories and found that about 37,000 of them are vulnerable to RepoJacking, including the repositories of companies such as Google and Lyft. Credit: Gerd Altmann Millions of GitHub repositories are potentially vulnerable to RepoJacking, which allows attackers to carry out code execution on organizations’ internal environments or on their customers’ environments, according to research by AquaSec. AquaSec analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% were vulnerable to RepoJacking, including repositories belonging to companies such as Google and Lyft. What is RepoJacking? On GitHub, organizations have usernames and repository names. In instances such as a change of management or new brand name etc, the organization may change the username or repository name on GitHub. A redirect is also created to avoid breaking dependencies for projects using code from repositories that changed their name. However, if someone re-registers the old name, that redirection becomes invalid. An attack in which the attacker registers a username and creates a repository used by an organization in the past but changed its name is called RepoJacking. This leads to any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware. GitHub has some restrictions to prevent the attacker from opening the old repository name. “However, they are applied only on popular repositories that were popular before the rename, and recently researchers found many bypasses to these restrictions allowing attackers to open any repository they want,” AquaSec said. AquaSec’s research tactic AquaSec downloaded all the logs from GHTorrent — a website that provides complete log history of GitHub repositories — for June 2019 and compiled a list of 125 million unique repository names. They then sampled 1% (1.25 million repository names) and checked each one to see if it was vulnerable to RepoJacking. “We found that 36,983 repositories were vulnerable to RepoJacking! That is 2.95% success rate,” AquaSec said. Potential exploitation due to RepoJacking vulnerability AquaSec found companies including Google and Lyft had vulnerable repositories and explained how they could be exploited. For Google, AquaSec found that a readme file containing instructions on building a project called Mathsteps pointed to a GitHub repository belonging to Socratic, a company that Google acquired in 2018 which no longer exists. Using the vulnerability, an attacker can clone that repository to break the redirection. This can lead to users accessing a file containing malicious code the attacker inserted, allowing the attacker to achieve arbitrary code execution on the devices of unsuspecting users. For Lyft, AquaSec found an installation script on the company’s repository that fetches a ZIP archive from another repository, which was vulnerable to RepoJacking. This meant that the attackers could inject their malicious code automatically into any Lyft installation script. Both Google and Lyft have fixed the issue. Safeguarding the repositories AquaSec advises organizations to regularly check their repositories for any links that may fetch resources from external GitHub repositories, as references to projects like the Go module can change their name anytime. “If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it,” AquaSec said. The researchers warn that organizations that they did not analyze could also be vulnerable. “It’s important to note that our analysis only covered a fraction of the available data, meaning that there are many more vulnerable organizations, potentially including yours,” AquaSec said. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe