Software Security Supply Chain News

GitHub's Repojacking Attack Exposes 15,000 Vulnerable Go Module Repositories

Over 15,000 Go module repositories on GitHub are vulnerable to repojacking, an attack technique that takes advantage of account username changes and deletions to create repositories with the same name and stage open-source software supply chain attacks. These repositories account for at least 800,000 Go module-versions. Go modules are particularly susceptible to repojacking due to their decentralized nature. GitHub has implemented countermeasures, but they are not effective for Go modules. The responsibility to mitigate repojackings lies with Go or GitHub, and in the meantime, Go developers are advised to be cautious about the modules they use. Additionally, 1,681 exposed API tokens on Hugging Face and GitHub have been discovered, potentially enabling supply chain attacks, training data poisoning, and model theft.