Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Repo Jacking: Exploiting the Dependency Supply Chain
Indiana Moreau - Security InnovationPosted 5 Years Ago- A subdomain takeover is a vulnerability that is very similar to this one; there is a dangling record that can be used in order to assert oneself as another user.
- This blog post discusses the same type of attack but for hijacking Github repositories.
- There were three main ways identified:
- A Github Username user renames their account
- A Github user transfer their repository to another user or organization & deletes their account
- A user deletes their account
- Additionally, Github has repository redirects which is another scenario that has to be looked out for.
- After doing an analysis of all of Github, it was discovered than 18,000 projects were vulnerable to this attack! Now, going down the dependency chain, at a depth of 5, 70,000 projects are impacted by this with only 1.5 million stars combined.
- To remediate this issue, do not use Github as a package manager.
- Overall, great article with an interesting analysis. Huge S/O to my co-worker Indiana for his research!
