It's increasingly apparent that GitHub repojacking poses a legitimate risk to developers. Hackers can take advantage of users and companies changing their GitHub names by hijacking old repository names in the hopes that malicious files they add may be fetched by applications that use the code as a dependency.
It’s important, then, that you take steps to protect your own GitHub project if you recently changed your username or reference other repositories as dependencies.
What Is RepoJacking?
GitHub repojacking is a type of exploit that can take place after a repository owner changes their username. The old username and repository name combination become available, and a repojacker can take advantage of its dependencies by claiming the username and creating a repository with the same name.
Repojacking can pose two distinct types of risk:
- Repojacking can make an otherwise trustworthy application unreliable. If you use an application that uses a GitHub repository as a dependency and the owner renames the repository, using the application will leave you vulnerable.
- Repojacking can put an application you’re developing at risk. If you reference a GitHub repository as a dependency and fail to notice or update it when the repository is renamed, your application will be vulnerable to repojacking exploits.
Repojacking doesn’t pose a tremendous risk to users, but there is legitimate reason to believe that it could serve as the mechanism for a serious supply chain attack. If an application has a dependency that references a repojacked repository, it will call for and receive code from the repojackers that may contain malware.
If you develop on GitHub, knowing how you can minimize your risk of supply chain attacks and repojacking—both in terms of being the hijacked repository and being a third-party with dependencies—is vital.
How to Minimize RepoJacking Risk
Repojacking attacks rely on an extremely predictable mechanism: the hijackers take control of an unclaimed repository and then take advantage of any applications that reference it as a dependency. Luckily, this makes repojacking easy to combat.
Create Private Clones of Repositories
Cloning a repository is an excellent way to minimize the risk associated with dependencies in your project because you will have absolute control over your private copy. You can create a private copy of a public repository by bare cloning and mirror pushing it, as documented on GitHub.
Track Your Project Dependencies Carefully
If you decide that you would prefer to avoid the trouble and reference public repositories, you should make sure you audit your project dependencies frequently. Checking the status of your dependencies a few times a year will take under an hour at most—and it will save you a lot of stress.
Reconsider Renaming Your Account
Ideally, keeping your username up-to-date wouldn’t be any cause for concern. Given the risk of repojacking, however, you should consider keeping your outdated name. If you must change your username, you should claim and reserve the old name by registering another account.
Use External Resources Wisely
Dependencies pose an inherent risk because they create third-party access points in your application. While they’re typically worth the time they save, regularly auditing your project dependencies is crucial. You should also take other security measures, such as using SSH authentication, to prevent exploits.