New research has brought to light a significant security concern in over 15,000 Go module repositories on GitHub. These repositories are found to be vulnerable to an attack known as repojacking, a technique that enables bad actors to exploit GitHub username changes and deletions to stage open-source software supply chain attacks.
Jacob Baines, Chief Technology Officer at VulnCheck, shared in a report that more than 9,000 repositories are susceptible to repojacking due to GitHub username changes, while over 6,000 repositories face the risk due to account deletions. Collectively, these repositories account for no less than 800,000 Go module versions.
What is Repojacking?
Repojacking, a portmanteau of "repository" and "hijacking," allows attackers to create a repository with the same name as a pre-existing one by taking advantage of account username changes and deletions. This poses a serious threat to the integrity of open-source software.
Go Modules Vulnerability:
Modules written in the Go programming language are particularly susceptible to repojacking. Unlike other package manager solutions like npm or PyPI, Go modules are decentralized and get published to version control platforms like GitHub or Bitbucket. This decentralization makes them more exposed to such attacks.
Countermeasures and Challenges:
GitHub has implemented a countermeasure called "popular repository namespace retirement" to prevent the creation of repositories with retired namespaces. However, this measure is not foolproof for Go modules, as they are cached by the module mirror, potentially allowing attackers to bypass the protection.
Recommendations:
Jacob Baines emphasized the importance for Go developers to be aware of the modules they use and the state of the repositories. Mitigating repojackings requires collaborative efforts from Go and GitHub, as third-party interventions are limited.
Additional Security Concerns:
In a related discovery, Lasso Security found 1,681 exposed API tokens on Hugging Face and GitHub. These tokens, associated with major companies such as Google, Meta, Microsoft, and VMware, pose a risk of supply chain attacks, training data poisoning, and model theft.
In conclusion, the vulnerabilities in Go module repositories underscore the importance of robust security measures in the open-source software ecosystem. Developers and platform providers need to work together to address these challenges and ensure the integrity of the software supply chain.
Comments
Post a Comment