Millions of Repos on GitHub Are Potentially Vulnerable to Hijacking

Many organizations are unwittingly exposing users of their code repositories to repojacking when renaming projects, a new study shows.

Millions of enterprise software repositories on GitHub are vulnerable to repojacking, a relatively simple kind of software supply chain attack where a threat actor redirects projects that are dependent on a particular repo to a malicious one instead.

The issue has to do with how GitHub handles dependencies when a GitHub user or organization changes the name of a project or transfers its ownership to another entity, researchers at Aqua Security said in a report this week.

Name-Change Risks

To avoid breaking code dependencies, GitHub creates a link between the original repo name and the new one so all projects that are dependent on the original repo get automatically redirected to the newly renamed one. However, if an organization fails to adequately protect the old username, an attacker could simply reuse it to create a trojanized version of the original repository so that any projects that relied on the repo will once again start downloading dependencies from it.

"When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," Aqua researchers said in a blog this week. "However, it is possible for anyone to create the old username and break this link."

Researchers at Aqua recently decided to investigate the prevalence of repositories on GitHub that are vulnerable to such repojacking, or dependency repository hijacking, as some security researchers refer to the threat.

Widely Prevalent Issue

What Aqua discovered was twofold: millions of such repositories — including those belonging to companies such as Google and Lyft — are present on GitHub; and tools are easily available to attackers to find these repos and hijack them. One of these tools is GHTorrent, a project that maintains a nearly complete record of all public events, such as commits and pull requests, on GitHub. Attackers can use GHTorrent to harvest the GitHub names of repositories that organization previously used. They can then register the repo under that old username, recreate the repository, and deliver malware to any project that uses it.

Any project that directly references a GitHub repository is vulnerable if the owner of the repository changes or deletes the username for their repository.

"We have presented a significant dataset that attackers can utilize to harvest the names of previous repositories belonging to organizations," says Yakir Kadkoda, security researcher at Aqua Nautilus.

"Organizations should not assume that their old organization names will remain undisclosed," warns Kadkoda. "It is crucial for them to claim and keep their old usernames on GitHub and scan GitHub URLs and references in their code to identify any repositories that could potentially be claimed by an attacker."

Bypassing Protections

Kadkoda says GitHub has attempted to address this issue by preventing the creation of usernames and repositories that were previously owned and now redirect to other projects. GitHub also implemented a mechanism several years ago to retire popular repository namespaces as a means of mitigating this threat. "However, several bypasses have been discovered in the past few years," he says. During Aqua's study, its researchers found several examples of repositories where the protection implemented by GitHub did not apply. "Therefore, users cannot fully rely on these defenses at this point," he says.

Aqua's blog pointed to a GitHub vulnerability that Checkmarx discovered last year as one example of the ways available to attackers to bypass GitHub's attempts to protect against repojacking. The flaw involved a mechanism called "popular repository namespace retirement" and affected all renamed usernames on GitHub, including over 10,000 packages on package managers such as Swift, Packagist, and Go. "Repojacking is a technique to hijack renamed repository URLs traffic and routing it to the attacker's repository by exploiting a logical flaw that breaks the original redirect," Checkmarx said in a report on the vulnerability. "A GitHub repository is vulnerable to repojacking when its creator decided to rename his username while the old username is available for registration."

Organizations can mitigate their exposure to the repojacking threat by scanning their code, repositories, and dependencies for GitHub links, Kadkoda says: "They should check if those links directly refer to GitHub projects or if there are redirects pointing to repositories under other usernames or repo names than the original links." In these instances, organizations should attempt to claim the available username to prevent attackers from doing so. "Additionally, organizations should always maintain their old usernames on GitHub," he says.