Original Post: Repo Jacking: The Great Source-code Swindle
The blog post dives deep into the largely unnoticed but critical attack vector called ‘Repo Jacking.’ It explains how Repo Jacking can compromise popular software components, focusing on the Terraform IaC and Composer (PHP package registry) ecosystems. Repo Jacking occurs when old organization names in code repositories are released, allowing attackers to take over these namespaces and serve malicious code.
To illustrate, if a GitHub organization is renamed, the original URL redirects to the new one. However, if the old name becomes available, an attacker can claim it and create a repository with the same name, leading to potentially dangerous scenarios where software tools like Terraform and Composer fetch malicious code.
The article elaborates on how Terraform modules and Composer packages are vulnerable to such attacks, providing step-by-step demonstrations and results from research showing significant potential impacts, including hijacking of modules with hundreds of thousands of downloads.
Finally, it discusses recent mitigations implemented by Hashicorp for Terraform and Packagist for Composer, as well as measures by SCM providers like GitHub to limit such vulnerabilities. The post concludes by emphasizing the importance of these findings and encouraging further awareness and research on Repo Jacking to protect software ecosystems.
Go here to read the Original Post