December 5, 2023 at 05:48AM
Over 15,000 Go module repositories on GitHub are susceptible to “repojacking,” with vulnerabilities due to user name changes and account deletions. This exploit allows attackers to hijack supply chains by duplicating and publishing malicious modules. GitHub’s countermeasure is ineffective for Go modules, with a call for action from Go or GitHub.
Meeting Takeaways:
1. A new vulnerability report by VulnCheck reveals over 15,000 Go module repositories on GitHub are at risk of repojacking—a serious security threat exploiting username changes and account deletions on GitHub.
2. Repojacking involves attackers creating a repository with the same name as a deleted or changed user account, thereby positioning themselves to carry out supply chain attacks.
3. The affected Go module repositories collectively contribute to more than 800,000 Go module-versions.
4. Go modules are particularly vulnerable because they are decentralized, relying on version control platforms for publication, unlike package managers like npm or PyPI that are more centralized.
5. While GitHub has protection called “popular repository namespace retirement,” this does not fully guard against repojacking for Go modules as their details can still be cached by a module mirror despite the namespace retirement measures.
6. Jacob Baines of VulnCheck notes that mitigating these vulnerabilities is a challenge for Go or GitHub, rather than a third party, and until addressed, Go developers need to be vigilant about the modules they utilize and their origin repositories.
7. Lasso Security discovered over 1,600 exposed API tokens on Hugging Face and GitHub, posing additional risks for supply chain attacks, training data poisoning, and model theft.
Recommendations for Action:
– Considering the significance of the repojacking vulnerability and the disclosure of exposed API tokens, organizations must reassess and possibly increase their oversight and verification processes for Go module repositories.
– Developers should scrutinize the state of the repositories for the modules in use to ensure their integrity.
– It may be necessary for Go and GitHub to collaborate on a more robust solution to protect against these types of attacks.
– It would be prudent to follow industry news on this topic for updates and emerging solutions.