Repo jacking is often the first step in a supply chain attack. Learn the security methods and tools used to help protect your organization.
In recent months, an increasingly prevalent threat to open source repositories has been the observed in the rise of cases of repository hijacking—repo jacking for short.
Repo jacking is the intentional, forced takeover by a malicious attacker of an owner or maintainer account hosting a repository. Access to the account allows the attacker to serve malicious code to implementations of the project or projects that use it as a dependency.
This type of supply chain attack is typically carried out through one of two methods that exploit a lack of reregistration validation in hosting platforms such as GitHub.
In both cases, an attacker effectively gains full control of the repository, allowing them carry out a variety of privileged actions. These may involve appointing other malicious users or self-created accounts as administrators/maintainers, which can in turn be used to approve push and pull requests to a repository. In this manner, malicious or unwanted code can be forced onto new versions of the project. Inversely, versions and functional code can be deleted from the repository or breaking commits intentionally pushed, allowing for the sabotage or corruption of pre-existing functionality.
Successful repository hijacking attacks can have serious security impacts for users of the package or product, particularly in cases where affected packages are used as dependencies. This is often due to the nature of the attack, which allows unrestricted malicious code upload, with the rereleasing of existing versions or the releasing of new versions. These are used to serve the malicious code directly to external projects that automatically bump to a new version of the affected package or use a recently released version that is manually set.
Attacks can go undetected for days or even weeks and are typically only disclosed by vigilant researchers, hawk-eyed users, or by the original owner realizing they had been hijacked (such as in the case of UAParser.js). The onus of dealing with the problem usually lies with the hosting platform, which could take steps to mitigate malicious package versions by removing them or suspending the compromised account.
Though these attacks are relatively simple in terms of exploitability, they are highly dependent on conditions not typically found in the accounts of popular project owners, particularly projects that are frequently updated. In these cases, attackers target active account owners with phishing or more accurate “whaling” techniques to try and gain access to the account, or force them to carry out actions in some form of cross-site scripting attack, though many browsers and sites have in-built protection against this.
A recent example of repository hijacking came in May 2022 in the form of Python package CTX, which had its repository hijacked on popular Python package hosting site PyPI. In this case, the original domain-hosting email for the owner account expired, leaving it open to a password reset and domain reregistration by a third party. It is unclear how much time elapsed between the account expiring and the successful hijacking attempt, but once the hijack was initiated, it took the attacker just 40 minutes to begin uploading malicious versions of the package, replacing the original versions.
This takeover went undiscovered for 10 days. During that time, malicious versions of CTX were downloaded over 27,000 times.
As for the malicious code, a section of code was added in the ctx.py file, which exfiltrated the environmental variables of a user and sent the data to an external endpoint, in this case a hosted Heroku server. The exfiltrated data potentially included sensitive user information, such as API keys and passwords, which were stored as environmental variables, making them easily accessible.
PyPI administrators moved quickly to suspend the hijacked account and remove all versions, malicious and original, of CTX, which at the time of this writing has not been reinstated.
This vulnerability was covered in Black Duck® Security Advisory BDSA-2022-1523.
Similarly, PHP package PhPass, which is hosted on the Packagist PHP hosting platform and GitHub, was exploited in the same way in May 2022. The original owner’s account was deleted and reregistered by a bad actor, giving access to the original repository. Using this access, original package versions were replaced with malicious versions.
The malicious code contained in these replacement versions carried out the same action as the CTX takeover—extracting environmental variables to the very same endpoint.
As a solution to this issue, a forked repository was created containing the original, nonmalicious versions. To ensure no further downloads of versions on the malicious repo, Packagist rerouted the original download URL to the new fork.
This vulnerability was covered in Black Duck Security Advisory BDSA-2022-1526.
The code introduced in these malicious versions had particularly harmful impacts. Notably, on install, the code downloaded and execute binaries from a remote server. One such binary was cryptocurrency mining software, demonstrating the ability for a remote attacker to take control of the victim’s system. Another such binary, introduced only on Windows systems, was a trojan that exfiltrated sensitive information from the system.
Hours after the UAParser.js attack, the author of the package removed the compromised versions from npm and released three new versions (0.7.30, 0.8.1, and 1.0.1) to help mitigate automatic projected upgrades from retaining the malicious versions.
This vulnerability was covered in Black Duck Security Advisory BDSA-2021-3228.
As supply chain attacks are on the rise, so too are cases of repo hacking because it is often the first step in a supply chain attack. Taking over a repository can be a simple process but still lead to serious and harmful impacts. There are mitigations currently available and in the pipeline to address the rise in these kinds of attacks.
Domain takeovers are a common part of the supply chain in hijacking repositories, such as when a bad actor reregisters the expired domain of an email and uses the domain to request password resets. Repository hosting platforms can attempt to prevent this by pre-emptively removing or suspending accounts with near-expiry and expired domains. Cutting that link in the chain is an important step in blocking access to accounts that could be compromised. However, this would come at a greater maintenance and monitoring responsibility for hosting platforms.
Over the coming years and months, open source projects will continue to expand and increase in quantity, becoming even more dependency-based and vulnerable to hijacking. In parallel to this expansion, more owner and author accounts will become inactive and be deleted, thus opening further opportunities for bad actors to hijack repositories.
Though mitigation to prevent many of these vulnerabilities is possible, the current industry landscape shows a limited number of users opting-in to preventative technologies such as MFA. Mandatory enforcement of methods such as 2FA may be the way forward, as repository owners’ reluctance to employ it may be hampering efforts to reduce the impacts of repository hijacking.
Black Duck Security Advisories (BDSAs) provide Black Duck customers with detailed information about vulnerabilities as they are disclosed, with accompanying alerts outlining vulnerable code and mitigations in used packages. Customers can use BDSAs to quickly mitigate new vulnerabilities and become informed on malicious developments in packages, such as repo jacking. BDSAs of hijacked packages detail vulnerable versions, critical information, and new developments, such as forked repositories.
Theo Burton is a vulnerability analyst intern on the Black Duck Security Research team and a final-year student at Queen’s University Belfast. He has a keen interest in vulnerability management and takes interest particularly in emerging threat and vulnerability types. In his free time he enjoys traveling, photography, and volunteering.