A Primer on Repojacking Attacks

Used by over 100 million developers and 90% of Fortune 100 companies, Github is a mega-success story in hosting code repositories for people to build, contribute to and implement software projects. This widespread use comes with the downside of making GitHub a rich target for attackers looking to access proprietary code, steal data or infiltrate software supply chains. This article describes an emerging type of attack known as repojacking that targets platforms like GitHub and explains how to mitigate its risk.

What is RepoJacking?

RepoJacking is a type of cyberattack that involves an outsider hijacking the account of someone who owns or maintains a code repository on a code hosting platform. The most widely seen example targets a redirect flaw for renamed GitHub repositories. There are, however, other ways to hijack a maintainer or owner’s account.

Many codebases directly reference GitHub repositories as dependencies via links to their URLs. These dependencies are essentially other blocks of code that a given project relies on for functionality. Examples include external libraries, frameworks and services.

The redirect flaw occurs when a repository’s owner changes the repository’s name or username, resulting in a new URL address. Typically, GitHub simply redirects any hard-coded links to the new URL so that any software that relies on the renamed project continues to function.

However, if a threat actor manages to re-establish the old repository URL, for example, by re-registering under the same username as the repository owner’s old username, the redirect no longer works. Instead, any software that depends on the repository links to the old URL (the hijacked repository), which is now under the threat actor’s control. It’s then easy for the adversary to remotely insert malicious code into any software that depends on this repository.

When an adversary manages to identify the potential for repojacking the repository of a widely used software package, the impact becomes much more far-reaching. There could feasibly be cases where thousands of businesses get hit with remote malicious code at once due to their software depending on and directly referencing the URL of a repojacked repository. In this sense, you can view repojacking as facilitating supply chain attacks.

Real-World Examples of Repojacking

PhPass

PhPass is a portable public domain password hashing framework for PHP applications. This framework helps to address the fact that fast-paced modern development practices often result in security gaps in password storage for web apps, which can lead to issues if user databases are ever compromised.

PhPass uses a strong random salt for each password and robust cryptographic hash algorithms like bcrypt or MD5, depending on the environment it’s being run in. The goal is to make it as difficult as possible for an attacker to use brute force or rainbow table attacks to figure out the original password, even if they have access to the hash.

While PHP has built-in password hashing functions, it’s common practice to use frameworks from GitHub like PhPass for this task. In May 2022, an amateur security researcher sparked alarm among the many businesses that rely on PHP to run their websites and web apps when he repojacked the PhPass repository.

The student, from Istanbul, bypassed GitHub authentication by reregistering the original repository owner’s deleted account and adding malicious code to a forked version of PhPass. This malicious code could then steal environment variables, such as developer credentials. The same hacker carried out a similar proof-of-concept attack on the popular Python package CTX; the malicious version of CTX was downloaded over 27,000 times.

UAParser.js

UAParser.js is a lightweight JavaScript library that allows developers to parse User-Agent strings. A User-Agent string is just data a browser sends to the server whenever someone visits a website. It includes details about the user’s browser, operating system and device. Capturing this data with a library is useful for web developers to tailor the content or layout of a website, or understand the user base and make more data-driven decisions.

UAParser.js makes it easy to parse User-Agent strings by providing a simple API that returns a descriptive object. This object contains the desired parsed data, such as the browser’s name and version, the operating system’s name and version, and information about the user’s device (like whether it’s a mobile, tablet or console).

With over eight million weekly downloads, this library is incredibly popular. In 2021, a hacker hijacked a user account on Node Package Manager (npm), a package manager and registry for the JavaScript programming language. The hacker then published three malicious versions of the library that could exfiltrate sensitive data from user endpoints.

While the malicious versions were only online for four hours, the attack potentially impacted companies that set up automatic upgrades for this library. It’s also worth noting that this hack didn’t involve GitHub or any sort of redirect flaw; repojacking is not limited to GitHub repositories or registries.

Reducing the Risk of Repojacking

Software supply chain attacks continue to impact companies, and repojacking is a particularly effective technique for facilitating large-scale code compromises. In fact, Gartner predicts that 45 percent of companies worldwide will experience a software supply chain attack by 2025. So, what can you do to reduce the risk of being impacted by repojacking?

• Require developers to switch on two-factor or multi-factor authentication for any of their user accounts on code repositories and registries. Bear in mind that GitHub is rolling out mandatory two-factor authentication for developers who contribute code on GitHub.com by the end of 2023, which should strengthen resilience against GitHub-focused repojacking.
• Encourage developers to avoid direct code dependencies on GitHub links or links to other code hosting platforms. Package managers are a safer option, particularly when paired with two-factor authentication.
• Consider version pinning, where developers specify the exact version of a library, package, or another dependency that their projects should use. By specifying exact versions, you eliminate the risk of automatically updating to a new version that may have security vulnerabilities. Just remember that version pinning also means you need to actively monitor your dependencies for updates in case you miss important security patches.
• Another mitigation option is vendoring, where you directly include the source code of dependencies in your project’s repository instead of relying on external package managers or sources to download and update them. Vendoring mitigates the risk of depending on external sources that might be compromised, but this does come with the cost of a heavier burden in maintaining dependencies.
• Stay on Top of Your Vulnerabilities

Prominent voices in technology now believe that every company is a software company. Repojacking poses a real risk, but it’s not the only way hackers compromise software. Whatever way your business interacts with and uses code, it’s vital to stay on top of vulnerabilities.

Nuspire’s vulnerability management service (VMS) gives you actionable risk exposure data to address your most significant vulnerabilities. We’ll detect and classify all networked assets, run automated scans to identify what’s vulnerable and use vulnerability scoring to help you prioritize by highest risk and easy fixes.