"GitHub Flaw Underscores Risks of Open Source, RepoJacking"
A GitHub vulnerability was discovered to enable attackers to take control of a GitHub repository and infect all applications and code that rely on it with malicious code. This vulnerability serves as a warning to those who rely on open-source packages, which are now vulnerable. It is now a common attack vector, so companies using open-source software repositories must take extra precautions to ensure they understand what they are deploying and are inventorying it in a Software Bill of Materials (SBOM) that will allow them to more easily identify and remediate when malicious or suspicious payloads are identified, according to Jim Kelly, RVP, endpoint security at Tanium. All renamed usernames on GitHub were vulnerable to the flaw if not explicitly tended to, including more than 10,000 packages on the Go, Swift, and Packagist package managers. According to researchers from the Checkmarx Supply Chain Security (SCS) team, thousands of packages could have been hijacked immediately to serve malicious code to millions of users. Since GitHub repositories are associated with usernames, when users rename their accounts, GitHub accepts the rename, issues a warning, and redirects traffic from the previous repository's URL to the new one. According to Checkmarx, redirect rules are automatically set up from the old repository URLs to the new URLs to keep things running for users who are unaware of the username change. A GitHub repository is vulnerable to RepoJacking when its creator decides to rename their username while the old username is still available for registration. The researchers discovered a link between the repository name and the creator username in the repository URLs, which means attackers can create a new GitHub account with the same combination to match the old repository URL used by existing users. When an attacker does this, the default redirect is disabled, and all existing traffic is routed to the attacker's malicious GitHub repository. This latest vulnerability, which GitHub has now fixed, should remind businesses that they should take extensive security precautions when using open-source solutions. The prevalence of open-source solutions in enterprise tooling, such as shared libraries, dependencies, and integrations, as well as custom-built projects, can lead to RepoJacking attacks, which can scale quickly if successful. This article continues to discuss the latest findings regarding the recently discovered GitHub vulnerability.
Security Boulevard reports "GitHub Flaw Underscores Risks of Open Source, RepoJacking"