According to a study by Aqua Security, RepoJacking on GitHub poses a realistic risk to large companies like Google. RepoJacking involves attackers taking over repositories from companies or teams that have changed their username on GitHub. They can embed malicious code in the hijacked repo, posing a threat to the software supply chain. Aqua Security’s Nautilus team found that almost three percent of the 1.25 million repositories examined were susceptible to RepoJacking, including those belonging to Google and Lyft.
GitHub has implemented defense mechanisms to prevent RepoJacking for frequently used or cloned repositories. However, these mechanisms may not apply to repositories that have been used more frequently after the organization’s renaming. Common projects of larger organizations can also be affected if they use internal dependencies to vulnerable sub-projects.
To identify vulnerable repositories, Aqua used publicly available data on GitHub usage, specifically the GHTorrent project, which collects information about all public operations on GitHub. Aqua downloaded a list of 125 million repository names from the project website and checked a 1 percent sample for vulnerability to RepoJacking. They found that almost three percent, or 37,000 repositories, were potentially vulnerable.
Concrete examples of RepoJacking vulnerabilities were found in the repositories of Lyft and Google. An installation script in a Lyft repository referenced a redirected organization that no longer existed on GitHub but was still available. The Nautilus team was able to create the specified repository and potentially distribute malicious code. Similarly, Google’s build instructions for the mathsteps project still referred to the old organization name, exposing a vulnerability. Both Lyft and Google have since patched the vulnerabilities.
To counteract RepoJacking, it is recommended to regularly check links to external GitHub repositories and monitor for changes in organization names. Companies or open source teams should consider keeping the old name of an organization behind frequently used repositories to prevent abuse.
