Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Thousands of Go module repositories on GitHub are vulnerable to attack

Supply Chain.

Thousands of Go module repositories on GitHub are vulnerable to an attack known as repository hijacking, or repojacking, experts have warned.

In this attack, a hacker abuses the fact that a developer changed the name of their account or deleted it altogether. They abuse it by creating an account, and a repository of the same name, and then adding malicious code to it. Consequently, that allows them to mount devastating supply chain attacks, because developers can integrate that code not knowing that it’s a malicious impersonator.

According to a new report from cybersecurity researchers at VulnCheck, there are more than 9,000 repositories vulnerable to repojacking because of GitHub username changes, and 6,000 repositories vulnerable due to account deletion. Together, they host at least 800,000 Go module-versions.

Remaining vigilant

Analysing the alert, The Hacker News said modules written in Go are “particularly susceptible” to repojacking because they are decentralized and get published to version control platforms like GitHub or BitBucket.

"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Jacob Baines, chief technology officer at VulnCheck, told the publication. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."

GitHub already tried to tackle this problem via a feature called “popular repository namespace retirement”. It prevents users from creating repositories with the names of retired namespaces that were cloned more than 100 times in the past. However, VulnCheck says the feature isn’t of much help as Go modules are cached by the module mirror, meaning there could be popular Go modules with fewer than 100 clones, and thus still susceptible to repojacking.

"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.