Security researchers have uncovered a critical vulnerability called RepoJacking that affects millions of GitHub repositories.
According to an advisory published last week by Aqua Security Software, RepoJacking allows attackers to execute code within an organization’s internal environment or within a customer’s environment.
The company identified a number of high-profile targets, including organizations such as Google and Lyft, which were promptly notified and mitigated.
In a technical document, the security firm explained that lipojacking occurs when attackers take advantage of GitHub’s rename feature to create links between old and new repository names.
By obtaining the old repository name and redirecting the user to the repository, an attacker could exploit this vulnerability and execute code.
“Anyone with the drive and creative digital archeology can mine historical links to valuable repositories that are not old but are actively used by currently running code.” said Tanium Chief Security Advisor Timothy Morris.
“These are supply chain vulnerabilities. It is imperative that security teams and risk managers understand where all software and dependencies come from.”
For more information on Github-focused attacks, see Github: A flexible cloud service increasingly exploited by state-sponsored threat actors.
In their advisory, the Aqua team demonstrated various exploitation scenarios including automatic downloads, manual downloads, and code execution via repository releases. It also contains examples of vulnerable repositories.
To compile its research, the security firm turned to the database of the GHTorrent project. This database records public events on GitHub, such as commit requests and pull requests.
After analyzing our sample dataset, we identified over 36,000 vulnerable repositories from 1.25 million samples. Extrapolating this data to the entire GitHub repository base, we estimate that there are potentially millions of vulnerable repositories.
“This highlights risks beyond the GitHub issue: references to obsolete ‘old’ names can be used by others, provided all references remain unchanged,” Netenrich said. explains John Bambenek, Principal Threat Hunter at
According to the executive, GitHub repositories are at risk of remote execution and backdoor installation. It is important to note that this risk extends to other resources already exploited by state actors, such as email addresses and domain names.
“Safe deprovisioning is something that we haven’t considered much as we move to cloud resources and open source, and it will continue to be an even bigger problem until we start addressing it.” concludes Bambeneck.
The Aqua advisory comes months after VulnCheck discovered a series of malicious GitHub repositories masquerading as legitimate security research projects.
