A recently disclosed vulnerability in GitHub has put thousands of repositories at risk of repojacking attacks, according to new findings. The flaw allows an attacker to exploit a race condition within GitHub’s repository creation and username renaming operations. This vulnerability has the potential to impact the open-source community by enabling the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub actions.
The issue was responsibly disclosed on March 1, 2023, and GitHub has addressed the problem as of September 1, 2023. Repojacking, also known as repository hijacking, is a technique where a threat actor can bypass a security mechanism called popular repository namespace retirement and gain control of a repository.
To protect against repojacking, GitHub implemented a safeguard that prevents users from creating a repository with the same name as a repository with more than 100 clones when the user account is renamed. This combination of the username and repository name is considered “retired.” However, if this safeguard is circumvented, threat actors can create new accounts with the same username and upload malicious repositories, which could potentially result in software supply chain attacks.
Checkmarx, a security researcher, outlined a new method that takes advantage of a potential race condition between repository creation and username renaming to achieve repojacking. The steps involved in this method are as follows:
· The victim owns the namespace “victim_user/repo.”
· The victim renames “victim_user” to “renamed_user.”
· The “victim_user/repo” repository is now retired.
· A threat actor using the username “attacker_user” creates a repository named “repo” and then changes their username to “victim_user” at the same time.
This process involves making an API request for repository creation and intercepting the request for username renaming. It is important to note that GitHub had previously patched a similar bypass flaw that could lead to repojacking attacks.
The discovery of this vulnerability highlights the persistent risks associated with the “popular repository namespace retirement” mechanism in GitHub’s repository creation and username renaming operations.
CyberSec84 | Cybersecurity news. 
Leave a comment