Used by over 100 million developers and 90% of Fortune 100 companies, Github is a mega-success story in hosting code repositories for people to build, contribute to and implement software projects. This widespread use comes with the downside of making GitHub a rich target for attackers looking to access proprietary code, steal data or infiltrate software supply chains. This article describes an emerging type of attack known as repojacking that targets platforms like GitHub and explains how to mitigate its risk.
RepoJacking is a type of cyberattack that involves an outsider hijacking the account of someone who owns or maintains a code repository on a code hosting platform. The most widely seen example targets a redirect flaw for renamed GitHub repositories. There are, however, other ways to hijack a maintainer or owner’s account.
Many codebases directly reference GitHub repositories as dependencies via links to their URLs. These dependencies are essentially other blocks of code that a given project relies on for functionality. Examples include external libraries, frameworks and services.
The redirect flaw occurs when a repository’s owner changes the repository’s name or username, resulting in a new URL address. Typically, GitHub simply redirects any hard-coded links to the new URL so that any software that relies on the renamed project continues to function.
However, if a threat actor manages to re-establish the old repository URL, for example, by re-registering under the same username as the repository owner’s old username, the redirect no longer works. Instead, any software that depends on the repository links to the old URL (the hijacked repository), which is now under the threat actor’s control. It’s then easy for the adversary to remotely insert malicious code into any software that depends on this repository.
When an adversary manages to identify the potential for repojacking the repository of a widely used software package, the impact becomes much more far-reaching. There could feasibly be cases where thousands of businesses get hit with remote malicious code at once due to their software depending on and directly referencing the URL of a repojacked repository. In this sense, you can view repojacking as facilitating supply chain attacks.
PhPass is a portable public domain password hashing framework for PHP applications. This framework helps to address the fact that fast-paced modern development practices often result in security gaps in password storage for web apps, which can lead to issues if user databases are ever compromised.
PhPass uses a strong random salt for each password and robust cryptographic hash algorithms like bcrypt or MD5, depending on the environment it’s being run in. The goal is to make it as difficult as possible for an attacker to use brute force or rainbow table attacks to figure out the original password, even if they have access to the hash.
While PHP has built-in password hashing functions, it’s common practice to use frameworks from GitHub like PhPass for this task. In May 2022, an amateur security researcher sparked alarm among the many businesses that rely on PHP to run their websites and web apps when he repojacked the PhPass repository.
The student, from Istanbul, bypassed GitHub authentication by reregistering the original repository owner’s deleted account and adding malicious code to a forked version of PhPass. This malicious code could then steal environment variables, such as developer credentials. The same hacker carried out a similar proof-of-concept attack on the popular Python package CTX; the malicious version of CTX was downloaded over 27,000 times.
UAParser.js makes it easy to parse User-Agent strings by providing a simple API that returns a descriptive object. This object contains the desired parsed data, such as the browser’s name and version, the operating system’s name and version, and information about the user’s device (like whether it’s a mobile, tablet or console).
While the malicious versions were only online for four hours, the attack potentially impacted companies that set up automatic upgrades for this library. It’s also worth noting that this hack didn’t involve GitHub or any sort of redirect flaw; repojacking is not limited to GitHub repositories or registries.
Software supply chain attacks continue to impact companies, and repojacking is a particularly effective technique for facilitating large-scale code compromises. In fact, Gartner predicts that 45 percent of companies worldwide will experience a software supply chain attack by 2025. So, what can you do to reduce the risk of being impacted by repojacking?
Prominent voices in technology now believe that every company is a software company. Repojacking poses a real risk, but it’s not the only way hackers compromise software. Whatever way your business interacts with and uses code, it’s vital to stay on top of vulnerabilities.
Nuspire’s vulnerability management service (VMS) gives you actionable risk exposure data to address your most significant vulnerabilities. We’ll detect and classify all networked assets, run automated scans to identify what’s vulnerable and use vulnerability scoring to help you prioritize by highest risk and easy fixes.