The newest threat to GitHub: RepoJacking
ReversingLabs
ReversingLabs is the trusted name in file and software security. RL - Trust Delivered.
Welcome to the latest edition of Chainmail: Software Supply Chain Security News, which brings you the latest software supply chain security headlines from around the world, curated by the team at ReversingLabs.
This week: Researchers discovered that GitHub repositories are vulnerable to RepoJacking, posing severe software supply chain risk. Also: AWS S3 buckets are being hijacked to attack npm packages.?
This Week’s Top Story
Dependency repository hijacking, also known as "RepoJacking," is a kind of attack currently plaguing GitHub repositories, with malicious actors able to deploy supply chain attacks to a large number of the platform’s users. Nautilus, the security team at AquaSec, analyzed a large sample of GitHub repositories, finding that close to 3% of them (equating to roughly 9 million in total) are vulnerable to RepoJacking.?
RepoJacking is a kind of attack where a malicious actor registers a username on GitHub and creates a repository with a name that has been used by an organization in the past, but since discarded. Often, this is due to an organizational name change or a company merger or acquisition. When successful, RepoJacking attacks see legitimate projects with an unaltered dependence on the legacy repository fetching dependencies and code from the new, attacker-controlled repository that has taken over its name. That could include fetching malicious code.
GitHub is aware of this kind of attack and has implemented some defenses to prohibit RepoJacking. However, the AquaSec report shows that these solutions so far have been incomplete and easily bypassed. For example, GitHub only looks after highly valuable projects, but RepoJacking attacks could just as easily target dependencies from lesser-known repositories that are vulnerable.
AquaSec analyzed over one million GitHub repositories and scanned repositories managed by big-name organizations to determine which ones are vulnerable to RepoJacking. The two exploitable cases found by researchers include repositories managed by Google and Lyft. In the case of Google’s repository, researchers found that a successful attack could see developers downloading code from a rogue repository and obtaining remote code execution on the user’s device.?
Development organizations should become mindful of RepoJacking, since it is a widely used attack method that is difficult to mitigate, and it poses severe risk to software supply chains. (Bleeping Computer)
This Week's Headlines
Miscreants are using expired Amazon Web Services (AWS) S3 buckets to place malicious code into a legitimate package in the npm repository without having to tinker with any code. Software security firm Checkmarx found that dozens of open source packages in the npm code repository are vulnerable to this type of attack, following an advisory shared last month by GitHub. (The Register)?
领英推荐
The Alphv ransomware gang (also known as BlackCat) successfully phished a Reddit employee back in February, which the gang claims gave them access to 80GB worth of compressed data from the company. Now, Alphv is demanding that Reddit not only pay a hefty ransom of $4.5 million for the gang to not leak the data, but also that Reddit change their policies for API pricing. However, one of Reddit’s chief executives told the Associated Press that Reddit will not back down from keeping their current API policy. (ITWire)
Web applications are foundational to a company’s business and brand identity yet are highly vulnerable to digital attacks by cybercriminals. As such, it’s vital to have a robust and forward-leaning approach to web application security. With an estimated market size of USD $30B by 2030, the term “application security” takes on numerous forms, but one area of heightened relevance in today’s world is the DevSecOps space. This article explains how the principles of DevSecOps can be applied to the security of web applications. (CIO)
Earlier this year, several threat actors, including at least one nation-state group, broke into a U.S. federal government agency's Microsoft Internet Information Services (IIS) web server by exploiting a critical three-year-old Telerik bug to achieve remote code execution, according to a forensic analysis of a different federal civilian executive branch agency released this week. And despite this vulnerability being known and proven using a proof of concept in 2018, the agency was still relying on unpatched software containing the flaw up until they were attacked in April 2023. (The Register)
Resource Round Up
Upcoming Webinar: Eliminating Threats Lurking in Open Source Software
On June 28, ReversingLabs’ experts will take a deep dive into how open source components are constructed, the risks associated with usage, questions teams should ask themselves as they assess issues, and how to safely use foreign code with ReversingLabs Software Supply Chain Security platform.? [Register Now]
ReversingLabs’ host Paul Roberts chats with Robert Martin of MITRE and Cassie Crossley of Schneider Electric about their session at this year’s RSA Conference. They explained how MITRE’s System of Trust can serve as a standard for software supply chain risk. The two also chatted with Paul about the greater issues facing software supply chains today, such as standardization and transparency. [Listen Now]
Modern SOC teams require agility and accuracy to detect and respond to threats. Learn about how ReversingLabs enhances Microsoft Sentinel — and start a free trial. [Learn More]