Millions of GitHub repositories are potentially vulnerable to RepoJacking, which allows attackers to carry out code execution on organizations\u2019 internal environments or on their customers\u2019 environments, according to research by AquaSec. \n\nAquaSec analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% were vulnerable to RepoJacking, including repositories belonging to companies such as Google and Lyft. \n\nWhat is RepoJacking?\n\nOn GitHub, organizations have usernames and repository names. In instances such as a change of management or new brand name etc, the organization may change the username or repository name on GitHub. A redirect is also created to avoid breaking dependencies for projects using code from repositories that changed their name. However, if someone re-registers the old name, that redirection becomes invalid.\n\nAn attack in which the attacker registers a username and creates a repository used by an organization in the past but changed its name is called RepoJacking.\n\nThis leads to any project or code that relies on the dependencies of the attacked project to fetch dependencies and code from the attacker-controlled repository, which could contain malware.\n\nGitHub has some restrictions to prevent the attacker from opening the old repository name. \u201cHowever, they are applied only on popular repositories that were popular before the rename, and recently researchers found many bypasses to these restrictions allowing attackers to open any repository they want,\u201d AquaSec said. \n\nAquaSec\u2019s research tactic\n\nAquaSec downloaded all the logs from GHTorrent \u2014 a website that provides complete log history of GitHub repositories \u2014 for June 2019 and compiled a list of 125 million unique repository names. They then sampled 1% (1.25 million repository names) and checked each one to see if it was vulnerable to RepoJacking.\u00a0\n\n\u201cWe found that 36,983 repositories were vulnerable to RepoJacking! That is 2.95% success rate,\u201d AquaSec said.\n\nPotential exploitation due to RepoJacking vulnerability\n\nAquaSec found companies including Google and Lyft had vulnerable repositories and explained how they could be exploited.\n\nFor Google, AquaSec found that a readme file containing instructions on building a project called Mathsteps pointed to a GitHub repository belonging to Socratic, a company that Google acquired in 2018 which no longer exists.\n\nUsing the vulnerability, an attacker can clone that repository to break the redirection. This can lead to users accessing a file containing malicious code the attacker inserted, allowing the attacker to achieve arbitrary code execution on the devices of unsuspecting users. \n\nFor Lyft, AquaSec found an installation script on the company\u2019s repository that fetches a ZIP archive from another repository, which was vulnerable to RepoJacking. This meant that the attackers could inject their malicious code automatically into any Lyft installation script. \n\nBoth Google and Lyft have fixed the issue. \n\nSafeguarding the repositories \n\nAquaSec advises organizations to regularly check their repositories for any links that may fetch resources from external GitHub repositories, as references to projects like the Go module can change their name anytime.\n\n\u201cIf you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it,\u201d AquaSec said.\n\nThe researchers warn that organizations that they did not analyze could also be vulnerable. \u201cIt\u2019s important to note that our analysis only covered a fraction of the available data, meaning that there are many more vulnerable organizations, potentially including yours,\u201d AquaSec said.