October 3, 2023

Researchers have spotted thousands of open-source code repositories on GitHub that could be vulnerable to an old exploit.

Researchers analysed millions of GitHub code repositories and found that almost 3% were vulnerable to an attack called repojacking. The bad actors could take control over an entire GitHub project.

Organizations that own these projects change their name and then create links to maintain the older account name. This is a convenience feature to help developers, but attackers can weaponize it, If these attacks are successful, malware could be inserted into these repositories, threatening software supply chains.


Some of these accounts found belong to major companies, such as Google LLC and Lyft Inc. Researchers notified all vulnerable account holders before publicly disclosing their results. More than 36,000 vulnerable repositories in their sample of GitHub log histories from June 2019.

As a recommendation, organizations should establish a regular program to check their GitHub repositories for links that go to external accounts and make sure that naming conventions are valid. If you change your organization name, ensure that you still own the previous name as well, even as a placeholder, to prevent attackers from creating it.

This research was documented by researchers from Aqua Security.

Leave a Reply

%d bloggers like this: