Dive Brief:
- Researchers discovered a vulnerability in GitHub’s popular repository namespace retirement mechanism, which placed thousands of open source packages at risk of being attacked through a technique called repojacking, according to a report from Checkmarx.
- Repojacking involves an attack on a legitimate namespace on GitHub. When GitHub users decide to change the name of a user through the user rename feature, the traffic is then redirected from the old repository’s URL to the new one.
- The Go, PHP and Swift languages are particularly at risk with more than 10,000 packages vulnerable to this attack vector. Once compromised, an outside attacker could send malicious code to millions of users in a supply chain attack.
Dive Insight:
A technique similar to repojacking was used earlier this year to poison widely popular PHP packages, which had millions of users.
Checkmarx was conducting research in 2021 when GitHub began redirecting their requests for Go packages, according to Aviad Gershon, a Checkmarx security researcher. They reported the issue to GitHub and then attackers took control of two popular PHP packages during the May attack.
Checkmarx Chief Architect Elad Rapoport then began to look into additional ways to bypass the same vulnerability.
“Both of these vulnerabilities are practically two different ways of going around the same wall, which is the popular namespace retirement protection,” Gershon said via email. “The first one required only reordering the steps of renaming a username, while the second, the current one, is a bit more complex and requires cleverly using another GitHub feature, the repository transfer.”
Checkmarx has contacted GitHub about the new vulnerability, and a patch has been issued.
