Thousands of Go module repositories on GitHub are vulnerable to attack
The Go modules are vulnerable to repojacking, researchers warn
Thousands of Go module repositories on GitHub are vulnerable to an attack known as repository hijacking, or repojacking, experts have warned.
In this attack, a hacker abuses the fact that a developer changed the name of their account or deleted it altogether. They abuse it by creating an account, and a repository of the same name, and then adding malicious code to it. Consequently, that allows them to mount devastating supply chain attacks, because developers can integrate that code not knowing that it’s a malicious impersonator.
According to a new report from cybersecurity researchers at VulnCheck, there are more than 9,000 repositories vulnerable to repojacking because of GitHub username changes, and 6,000 repositories vulnerable due to account deletion. Together, they host at least 800,000 Go module-versions.
Remaining vigilant
Analysing the alert, The Hacker News said modules written in Go are “particularly susceptible” to repojacking because they are decentralized and get published to version control platforms like GitHub or BitBucket.
"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Jacob Baines, chief technology officer at VulnCheck, told the publication. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."
GitHub already tried to tackle this problem via a feature called “popular repository namespace retirement”. It prevents users from creating repositories with the names of retired namespaces that were cloned more than 100 times in the past. However, VulnCheck says the feature isn’t of much help as Go modules are cached by the module mirror, meaning there could be popular Go modules with fewer than 100 clones, and thus still susceptible to repojacking.
"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- GitHub unveils Copilot Enterprise to transform your corporate codebase
- Here's a list of the best firewalls today
- These are the best endpoint protection software right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.