GitHub, the widely used code hosting platform, revealed that more than 4,000 code packages are vulnerable to RepoJacking attacks. This flaw, uncovered by Checkmarx researchers, has raised concerns within the open-source community and prompted swift action from GitHub.
The RepoJacking Attack Explained
RepoJacking, short for repository hijacking, is a technique used by threat actors to take control of a repository. This attack method involves exploiting a race condition between GitHub’s repository creation and username renaming processes. Essentially, attackers claim the old username of a repository after the legitimate creator changes the username. They then publish a rogue repository with the same name, deceiving users into downloading malicious content.
The consequences of this vulnerability are far-reaching. It affects over 4,000 code packages across programming languages like Go, PHP, and Swift, as well as GitHub actions. Many of these packages have gained significant popularity, with over 1,000 stars. We are yet to uncover the potential impact on millions of users and various applications.
Checkmarx responsibly disclosed this vulnerability to GitHub on March 1, 2023, which prompted action from the platform. GitHub introduced the “popular repository namespace retirement” mechanism to prevent RepoJacking. With this security measure, repositories with more than 100 clones at the time of a username change are considered “retired” and cannot be used by others. The combination of the username and the repository name is also considered “retired.”
However, the security measure turned out to be easily circumvented. Checkmarx identified over 4,000 packages in package managers that used renamed usernames, putting them at risk of hijacking.
How the Attack Works
Checkmarx outlined the steps involved in the RepoJacking attack:
- The victim owns the namespace “victim_user/repo.”
- The victim renames “victim_user” to “renamed_user.”
- The “victim_user/repo” repository becomes retired.
- An attacker with the username “attacker_user” simultaneously creates a repository called “repo” and renames the username “attacker_user” to “victim_user.”
This is achieved through an API request for repository creation and a renamed request interception for the username change.
This discovery shows the ongoing risks associated with GitHub’s “popular repository namespace retirement” mechanism. Many GitHub users, including those controlling popular repositories and packages, choose to use the “User rename” feature offered by GitHub. This makes bypassing the “Popular repository namespace retirement” an attractive target for supply chain attackers.
Github Takes Decisive Action
GitHub has addressed the issue as of September 1, 2023, after responsible disclosure by Checkmarx. In light of this vulnerability, it is advisable for users to avoid using retired namespaces to minimize the attack surface. Additionally, thorough code audits are recommended to ensure that there are no dependencies that could lead to the hijacking of repositories.
The GitHub vulnerability discovered by Checkmarx shows the persistent threats to open-source projects. Users need to remain vigilant as attack methods continue to evolve.