AquaSec analyzed a sample of 1% of GitHub repositories and found that about 37,000 of them are vulnerable to RepoJacking, including the repositories of companies such as Google and Lyft. Credit: Gerd Altmann Millions of GitHub repositories are potentially vulnerable to RepoJacking, which allows attackers to carry out code execution on organizations' internal environments or on their customers' environments, according to research by AquaSec. AquaSec analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% were vulnerable to RepoJacking, including repositories belonging to companies such as Google and Lyft. What is RepoJacking? On GitHub, organizations have usernames and repository names. In instances such as a change of management or new brand name etc, the organization may change the username or repository name on GitHub. A redirect is also created to avoid breaking dependencies for projects using code from repositories that changed their name. However, if someone re-registers the old name, that redirection becomes invalid. An attack in which the attacker registers a username and creates a repository used by an organization in the past but changed its name is called RepoJacking. This leads to any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware. GitHub has some restrictions to prevent the attacker from opening the old repository name. "However, they are applied only on popular repositories that were popular before the rename, and recently researchers found many bypasses to these restrictions allowing attackers to open any repository they want," AquaSec said. AquaSec's research tactic AquaSec downloaded all the logs from GHTorrent -- a website that provides complete log history of GitHub repositories -- for June 2019 and compiled a list of 125 million unique repository names. They then sampled 1% (1.25 million repository names) and checked each one to see if it was vulnerable to RepoJacking. "We found that 36,983 repositories were vulnerable to RepoJacking! That is 2.95% success rate," AquaSec said. Potential exploitation due to RepoJacking vulnerability AquaSec found companies including Google and Lyft had vulnerable repositories and explained how they could be exploited. For Google, AquaSec found that a readme file containing instructions on building a project called Mathsteps pointed to a GitHub repository belonging to Socratic, a company that Google acquired in 2018 which no longer exists. Using the vulnerability, an attacker can clone that repository to break the redirection. This can lead to users accessing a file containing malicious code the attacker inserted, allowing the attacker to achieve arbitrary code execution on the devices of unsuspecting users. For Lyft, AquaSec found an installation script on the company's repository that fetches a ZIP archive from another repository, which was vulnerable to RepoJacking. This meant that the attackers could inject their malicious code automatically into any Lyft installation script. Both Google and Lyft have fixed the issue. Safeguarding the repositories AquaSec advises organizations to regularly check their repositories for any links that may fetch resources from external GitHub repositories, as references to projects like the Go module can change their name anytime. "If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it," AquaSec said. The researchers warn that organizations that they did not analyze could also be vulnerable. "It's important to note that our analysis only covered a fraction of the available data, meaning that there are many more vulnerable organizations, potentially including yours," AquaSec said. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe