15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.

“More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes,” Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. “More than 6,000 repositories were vulnerable to repojacking due to account deletion.”

Collectively, these repositories account for more no less than 800,000 Go module-versions.

Repojacking, a portmanteau of “repository” and “hijacking,” is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.

Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.

Modules written in the Go programming language are particularly susceptible to repojacking as unlike other package manager solutions like npm or PyPI, they are decentralized due to the fact that they get published to version control platforms like GitHub or Bitbucket.

“Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module’s details,” Baines said. “An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev.”

To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners’ accounts being renamed or deleted.

But VulnCheck noted that this protection isn’t helpful when it comes to Go modules as they are cached by the module mirror, thereby obviating the need for interacting with or cloning a repository.” In other words, there could be popular Go-based modules that have been cloned less than 100 times, resulting in a bypass of sorts.

“Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on,” Baines said. “A third-party can’t reasonably register 15,000 GitHub accounts. Until then, it’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.”

The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.