Critical GitHub Vulnerability Exposes 4,000+ Repositories to Repojacking Attack
Sep 12, 2023
Software Security / Vulnerability
A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show. The flaw "could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations," Checkmarx security researcher Elad Rapoport said in a technical report shared with The Hacker News. "Successful exploitation of this vulnerability impacts the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions." Following responsible disclosure on March 1, 2023, the Microsoft-owned code hosting platform has addressed the issue as of September 1, 2023. Repojacking , short for repository hijacking , is a technique where a threat actor is able to bypass a security mechanism called popular repository namespace retirement and ultimately control of a repository. What the protection measure does is preven