New research has found that more than 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.
"More than 9,000 software repositories are vulnerable to repojacking attacks due to GitHub username changes," said a report shared by VulnCheck CTO Jacob Baines. “More than 6,000 repositories are vulnerable to re-hijacking due to account deletion.
In total, these software repositories contain no less than 800,000 Go module versions.
Repojacking A portmanteau of "repository" and "hijacking," it is an attack technique that allows bad actors to exploit the change and deletion of an account's username to create a new one with the same name and a pre-existing username repository to launch open source software supply chain attacks.
Earlier this June, cloud security company Aqua revealed that millions of software repositories on GitHub were likely vulnerable to this threat and urged organizations making name changes to ensure they still have the previous name as a placeholder, to prevent this abuse.
Modules written in the Go programming language are particularly vulnerable to repojacking because, unlike other package manager solutions such as npm or PyPI, these modules are decentralized as they are published to version control platforms such as GitHub or Bitbucket.
"Anyone can point me to Go module mirrors and pkg.go.dev cache module details," Baines said. "An attacker can register a new unused username, copy the module repository, and publish new modules to proxy.golang.org and go.pkg.dev.
To prevent developers from downloading potentially unsafe packages, GitHub has implemented a countermeasure called popular repository namespace retirement, which prevents repositories from being created using retired namespace names. Attempt, these namespaces were cloned more than 100 times before the owner account was renamed or deleted.
But VulnCheck points out that this protection is useless when it comes to Go modules, as the module mirror caches these modules, thus avoiding the need to interact with or clone the repository. In other words, there may be some popular Go-based modules that have been cloned less than 100 times, resulting in some kind of bypass.
"Unfortunately, reducing all of these repojackings is something Go or GitHub has to shoulder," Baines said. "Third parties cannot reasonably register 15,000 GitHub accounts. Until then, Go developers must understand the modules they use and the status of the repositories from which the modules come.
Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including tokens related to Google, Meta, Microsoft and VMware, which could potentially be exploited. Implement supply chain, training data poisoning, and model theft attacks.
Original article, author: xbear, if reprinted, please indicate the source: https://cncso.com/en/15000-go-module-repojacking-attack-on-github.html
