Recent research has identified a significant security risk for over 15,000 Go module repositories hosted on GitHub. These repositories are vulnerable to repojacking attacks [1] [2] [4] [5] [6] [7], which exploit changes in account usernames and deletions to create repositories with the same name [1] [2] [4] [5]. This enables open-source software supply chain attacks [1] [2] [3] [4] [5].
Description
The vulnerability affects a total of 9,000 repositories due to username changes and an additional 6,000 repositories due to account deletions [5]. These repositories collectively contain at least 800,000 Go module versions. The decentralized nature of the Go programming language and its reliance on version control platforms like GitHub make it particularly susceptible to repojacking attacks.
While GitHub has implemented a countermeasure called popular repository namespace retirement [2] [4] [5], it does not effectively protect Go modules as they are cached by the module mirror [2] [4] [5] [7]. Therefore, addressing these repojacking attacks will require action from either Go or GitHub [1] [7]. In the meantime [1] [5] [6] [7], it is crucial for Go developers to remain vigilant about the modules they use and the state of their repositories [3].
Conclusion
The repojacking attacks on Go module repositories hosted on GitHub have significant implications for the security of open-source software supply chains. Mitigating these attacks will require proactive measures from either Go or GitHub [7]. Developers using Go modules should prioritize monitoring and verifying the modules they use, as well as regularly checking the status of their repositories. This issue highlights the need for ongoing efforts to enhance the security of decentralized programming languages and version control platforms.
References
[1] https://vulners.com/thn/THN:CF7720ADA665D93843DCED53D84332F2
[2] https://owasp.or.id/2023/12/05/15000-go-module-repositories-on-github-vulnerable-to-repojacking-attack/
[3] https://www.cyber-oracle.com/p/over-15000-github-repositories-vulnerable
[4] https://thehackernews.com/2023/12/15000-go-module-repositories-on-github.html
[5] https://ciso2ciso.com/15000-go-module-repositories-on-github-vulnerable-to-repojacking-attack-sourcethehackernews-com/
[6] https://cybermaterial.com/github-go-modules-vulnerable-to-repojacking/
[7] https://infosecbulletin.com/15000-go-module-repositories-on-github-vulnerable-to-repojacking-attack/
