New research has found that more than 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.
“More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes,” Vulncheck’s chief technology officer Jacob Baines said in a report. “Over 6,000 repositories were vulnerable to repojacking due to account deletion.”
Collectively, these repositories contain at least 800,000 Go module-versions.
Repojacking, a portmanteau of “repository” and “hijacking,” is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.
Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.
Modules written in the Go programming language are particularly susceptible to repojacking because unlike other package manager solutions like NPM or PyPl, they are decentralized due to the fact that they are published on version control platforms like GitHub or BitBucket.
“Anyone can then instruct Go module mirrors and pkg.go.dev to cache the module’s description,” Baines said. “An attacker could register a new unused username, copy the module repository, and publish a new module to proxy.golang.org and go.pkg.dev.”
To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners’ accounts being renamed or deleted.
But VulnCheck notes that this security is not helpful when it comes to Go modules because those modules are cached by the mirror, eliminating the need to interact with or clone the repository. In other words, there may be popular Go-based modules that have been cloned less than 100 times, resulting in a type of bypass.
“Unfortunately, the work of reducing all this repojacking will have to be done by either Go or GitHub,” Baines said. “A third-party cannot appropriately register 15,000 GitHub accounts. Until then, it is important for Go developers to be aware of the modules they use and the state of the repositories from which the modules originated. “
The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.
