Thousands of Go module repositories on GitHub are vulnerable to attack

Supply Chain
(Image credit: Shutterstock.com / TMLsPhotoG)

Thousands of Go module repositories on GitHub are vulnerable to an attack known as repository hijacking, or repojacking, experts have warned.

In this attack, a hacker abuses the fact that a developer changed the name of their account or deleted it altogether. They abuse it by creating an account, and a repository of the same name, and then adding malicious code to it. Consequently, that allows them to mount devastating supply chain attacks, because developers can integrate that code not knowing that it’s a malicious impersonator.

According to a new report from cybersecurity researchers at VulnCheck, there are more than 9,000 repositories vulnerable to repojacking because of GitHub username changes, and 6,000 repositories vulnerable due to account deletion. Together, they host at least 800,000 Go module-versions.

Remaining vigilant

Analysing the alert, The Hacker News said modules written in Go are “particularly susceptible” to repojacking because they are decentralized and get published to version control platforms like GitHub or BitBucket.

"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Jacob Baines, chief technology officer at VulnCheck, told the publication. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."

GitHub already tried to tackle this problem via a feature called “popular repository namespace retirement”. It prevents users from creating repositories with the names of retired namespaces that were cloned more than 100 times in the past. However, VulnCheck says the feature isn’t of much help as Go modules are cached by the module mirror, meaning there could be popular Go modules with fewer than 100 clones, and thus still susceptible to repojacking.

"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.