Thousands of Go module repositories on GitHub are vulnerable to attack

News
By published

The Go modules are vulnerable to repojacking, researchers warn

Supply Chain
(Image credit: Shutterstock.com / TMLsPhotoG)

Thousands of Go module repositories on GitHub are vulnerable to an attack known as repository hijacking, or repojacking, experts have warned.

In this attack, a hacker abuses the fact that a developer changed the name of their account or deleted it altogether. They abuse it by creating an account, and a repository of the same name, and then adding malicious code to it. Consequently, that allows them to mount devastating supply chain attacks, because developers can integrate that code not knowing that it’s a malicious impersonator.

According to a new report from cybersecurity researchers at VulnCheck, there are more than 9,000 repositories vulnerable to repojacking because of GitHub username changes, and 6,000 repositories vulnerable due to account deletion. Together, they host at least 800,000 Go module-versions.

Remaining vigilant

Analysing the alert, The Hacker News said modules written in Go are “particularly susceptible” to repojacking because they are decentralized and get published to version control platforms like GitHub or BitBucket.

"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Jacob Baines, chief technology officer at VulnCheck, told the publication. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."

GitHub already tried to tackle this problem via a feature called “popular repository namespace retirement”. It prevents users from creating repositories with the names of retired namespaces that were cloned more than 100 times in the past. However, VulnCheck says the feature isn’t of much help as Go modules are cached by the module mirror, meaning there could be popular Go modules with fewer than 100 clones, and thus still susceptible to repojacking.

"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
GitHub Webpage
A cracked malicious version of a Go package lay undetected online for years
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
These fake GitHub "security alerts" could actually let hackers hijack your account
An abstract image of digital security.
Hundreds of GitHub repositories hijacked to trick users into downloading malware
A white padlock on a dark digital background.
GitHub is hiding malware disguised as games, legitimate software
Image depicting a hand on a scanner
New Lazarus Group campaign sees North Korean hackers spreading undetectable malware through GitHub and open source packages
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Google AI Mode

I tried Google's new AI mode powered by Gemini, and it might be the end of Search as we know it
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the world's richest men criticizes the spending of billions of dollars on buying laptops for US classrooms with no apparent improvement in results
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event