Security News > 2023 > June > Millions of GitHub repos likely vulnerable to RepoJacking, researchers say
Millions of GitHub repositories may be vulnerable to dependency repository hijacking, also known as "RepoJacking," which could help attackers deploy supply chain attacks impacting a large number of users.
The warning comes from AquaSec's security team, 'Nautilus,' who analyzed a sample of 1.25 million GitHub repositories and found that about 2.95% of them to be vulnerable to RepoJacking.
RepoJacking is an attack where a malicious actor registers a username and creates a repository used by an organization in the past but which has since changed its name.
GitHub only protects highly popular projects, but those projects may use a dependency from a less popular, vulnerable repository that isn't covered, so the supply chain compromise impacts them too.
To highlight the importance of the problem, AquaSec scanned renowned organizations for vulnerable repositories and found exploitable cases in repos managed by Google and Lyft.
In the case of Lyft, the attack would be more automated, as AquaSec found an installation script on the company's repository that fetches a ZIP archive from another repository, which is vulnerable to RepoJacking.