Shulou(Shulou.com)11/24 Report--

CTOnews.com, June 27, the security company Aqua Nautilus recently exposed a RepoJacking vulnerability in the GitHub library, which can be exploited by hackers to hack into GitHub's private or public libraries and replace files in these organizations' internal environments or customer environments with versions with malicious code to carry out hijacking attacks.

It is understood that RepoJacking can occur when GitHub users / organizations change their names, a supply chain attack that allows attackers to take over dependencies or entire projects of the GitHub project to run malicious code against any device that uses these projects.

Hackers can directly scan the Internet, lock GitHub libraries that need to be attacked, bypass GitHub repository restrictions, and replace the files with Trojan versions. After other users download and deploy, hackers can manipulate user terminals to carry out attacks.

Aqua Nautilus uses Lyft for demonstration, they have created a fake repository and redirected the fetch script, users using install.sh script will unwittingly install Lyft with malicious code themselves, and as of press time, the vulnerability in Lyft has been fixed.

▲ diagram source Aqua Nautilus

▲ source Aqua Nautilus researchers also found vulnerabilities in Google's library in GitHub:

When a user accesses https://github.com/socraticorg/mathsteps, it will be redirected to https://github.com/google/mathsteps so the end user will have access to Google's repository. However, because the socraticorg organization is available, attackers can open the socraticorg / mathsteps repository, and users who execute installation commands given by Google directly from the terminal will actually download malicious files replaced by hackers.

Google has now fixed the problem after feedback from Aqua Nautilus.

Aqua Nautilus said that users can create a link between the old name and the new name of the GitHub library (redirect the old name to the new name) to avoid the RepoJacking vulnerability. CTOnews.com friends can refer to here for more information.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.