15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

December 05, 2023NewsroomSoftware Security / Supply Chain

Repojacking Attack

New research has found that more than 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.

“Over 9,000 repositories were vulnerable to repojacking due to GitHub username changes,” said Jacob Baines, VulnCheck’s chief technology officer. SAYS in a report shared by The Hacker News. “Over 6,000 repositories are vulnerable to repojacking due to account deletion.”

In total, these repositories account for no less than 800,000 Go module-versions.


Learn Insider Threat Detection using Application Response Strategies

Learn how application detection, response, and automated behavior modeling can transform your defense against content threats.

Join now

Repojacking, a portmanteau of “repository” and “hijacking,” is an attack technique that allows a bad actor to exploit username changes and account deletions to create a repository that have the same name and the previous username to open-source. software supply chain attack.

Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub were potentially vulnerable to the threat, urging organizations that changed names to ensure they were still owner of their former name as placeholders to prevent such abuse.

Modules written in the Go programming language are particularly susceptible to repojacking because unlike other package manager solutions such as npm or PyPI, they are decentralized due to the fact that they are published on version control platforms such as on GitHub or Bitbucket.

“Anyone can then point to the Go module mirror and pkg.go.dev to cache module details,” Baines said. “An attacker can register a new unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev.”

To prevent developers from pulling potentially unsafe packages, GitHub has put in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces -clone more than 100 times before owners’ accounts are renamed or deleted.

But VulnCheck notes that this protection doesn’t help when it comes to Go modules because they are cached in module mirrorthus eliminating the need to interact with or clone a repository.” That is, there may be popular Go-based modules cloned less than 100 times, resulting in a bypass type.


“Unfortunately, mitigating all these repojackings is something Go or GitHub has to do,” Baines said. “It would be unreasonable for a third party to register 15,000 GitHub accounts. Until then, it’s important for Go developers to know the modules they use, and the state of the repository the modules come from.”

Disclosure also comes as Lasso Security SAYS it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including partners with Google, Meta, Microsoft, and VMware, which could potentially be exploited for supply chain manipulation, data poisoning training, and attacks to steal the model.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment