Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
VulnCheck warns of unprecedented vulnerabilities in software supply chains.
A new study by VulnCheck, a web application vulnerability checker, found that more than 15,000 Go module repositories on GitHub are vulnerable to a "repository hijacking" or "RepoJacking"attack.
This type of attack allows hackers to maliciously use a name change or complete deletion of a GitHub account performed by its rightful owner. To do this, attackers create a completely new repository with the same name as the old one, and then use its links to other links in the software supply chain to distribute malicious code.
According to VulnCheck, more than 15,000 Go module repositories have been found vulnerable to such attacks. "More than 9,000 repositories are vulnerable due to changing GitHub usernames. Even more than 6000 — due to the removal of accounts," - commented on the results of the chief technical officer of the company Jacob Baines.
These repositories collectively contain at least 800,000 versions of Go modules that are used by developers around the world. Consequently, the capture of at least some of these repositories can lead to serious consequences for the cybersecurity of many software products.
Modules in the Go programming language pose a particular threat. Unlike other solutions like npm or PyPI with centralized repositories, Go modules are published in a decentralized manner on platforms like GitHub or Bitbucket.
"Anyone can instruct the Go module mirror and the pkg.go.dev site to cache module details, bypassing the repository," notes Baines. Thus, an attacker can only capture the name of an old user and the name of a popular repository without interacting directly with GitHub.
GitHub is trying to fight such attacks by blocking the creation of repositories under previously deleted popular names. But this is not effective in the case of Go modules that are cached to bypass the main repository.
"Unfortunately, mitigating all these potential repository hijackings is a challenge for Go or GitHub companies. A third party cannot reasonably register 15,000 security accounts," states Baines. It encourages Go developers to be vigilant and carefully monitor the status of the modules and repositories they use.
Thus, the threat of "repository hijacking" attacks is very serious for the GitHub ecosystem and can cause significant damage to cybersecurity in general. GitHub and Go companies should develop effective countermeasures to protect modules and repositories from such attacks as quickly as possible.
A new study by VulnCheck, a web application vulnerability checker, found that more than 15,000 Go module repositories on GitHub are vulnerable to a "repository hijacking" or "RepoJacking"attack.
This type of attack allows hackers to maliciously use a name change or complete deletion of a GitHub account performed by its rightful owner. To do this, attackers create a completely new repository with the same name as the old one, and then use its links to other links in the software supply chain to distribute malicious code.
According to VulnCheck, more than 15,000 Go module repositories have been found vulnerable to such attacks. "More than 9,000 repositories are vulnerable due to changing GitHub usernames. Even more than 6000 — due to the removal of accounts," - commented on the results of the chief technical officer of the company Jacob Baines.
These repositories collectively contain at least 800,000 versions of Go modules that are used by developers around the world. Consequently, the capture of at least some of these repositories can lead to serious consequences for the cybersecurity of many software products.
Modules in the Go programming language pose a particular threat. Unlike other solutions like npm or PyPI with centralized repositories, Go modules are published in a decentralized manner on platforms like GitHub or Bitbucket.
"Anyone can instruct the Go module mirror and the pkg.go.dev site to cache module details, bypassing the repository," notes Baines. Thus, an attacker can only capture the name of an old user and the name of a popular repository without interacting directly with GitHub.
GitHub is trying to fight such attacks by blocking the creation of repositories under previously deleted popular names. But this is not effective in the case of Go modules that are cached to bypass the main repository.
"Unfortunately, mitigating all these potential repository hijackings is a challenge for Go or GitHub companies. A third party cannot reasonably register 15,000 security accounts," states Baines. It encourages Go developers to be vigilant and carefully monitor the status of the modules and repositories they use.
Thus, the threat of "repository hijacking" attacks is very serious for the GitHub ecosystem and can cause significant damage to cybersecurity in general. GitHub and Go companies should develop effective countermeasures to protect modules and repositories from such attacks as quickly as possible.
