The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Analysis: Repo jacking in the software supply chain

Black Duck Editorial Staff

Aug 01, 2022 / 6 min read

In recent months, an increasingly prevalent threat to open source repositories has been the observed in the rise of cases of repository hijacking—repo jacking for short.

About repo jacking

Repo jacking is the intentional, forced takeover by a malicious attacker of an owner or maintainer account hosting a repository. Access to the account allows the attacker to serve malicious code to implementations of the project or projects that use it as a dependency.

This type of supply chain attack is typically carried out through one of two methods that exploit a lack of reregistration validation in hosting platforms such as GitHub.

  • Name change: When a user of a hosting platform changes their username, an attacker can potentially reregister the repository with the original username. This allows the repository to be re-created, with the original repository URL likely to still be accessed for updates by victim packages that use the project as a dependency.
  • Account deletion: Similar to name change, an attacker can reregister a deleted account and re-create the repository. This method is more likely to cause errors for projects trying to fetch the repository through a URL, as the link would be broken. This has been successfully bypassed through reregistration of the deleted username in between the time of deletion and refresh of projects attempting to fetch the repo.

In both cases, an attacker effectively gains full control of the repository, allowing them carry out a variety of privileged actions. These may involve appointing other malicious users or self-created accounts as administrators/maintainers, which can in turn be used to approve push and pull requests to a repository. In this manner, malicious or unwanted code can be forced onto new versions of the project. Inversely, versions and functional code can be deleted from the repository or breaking commits intentionally pushed, allowing for the sabotage or corruption of pre-existing functionality.

The harmful impact to security

Successful repository hijacking attacks can have serious security impacts for users of the package or product, particularly in cases where affected packages are used as dependencies. This is often due to the nature of the attack, which allows unrestricted malicious code upload, with the rereleasing of existing versions or the releasing of new versions. These are used to serve the malicious code directly to external projects that automatically bump to a new version of the affected package or use a recently released version that is manually set.

Attacks can go undetected for days or even weeks and are typically only disclosed by vigilant researchers, hawk-eyed users, or by the original owner realizing they had been hijacked (such as in the case of UAParser.js). The onus of dealing with the problem usually lies with the hosting platform, which could take steps to mitigate malicious package versions by removing them or suspending the compromised account.

Though these attacks are relatively simple in terms of exploitability, they are highly dependent on conditions not typically found in the accounts of popular project owners, particularly projects that are frequently updated. In these cases, attackers target active account owners with phishing or more accurate “whaling” techniques to try and gain access to the account, or force them to carry out actions in some form of cross-site scripting attack, though many browsers and sites have in-built protection against this.

Real-world examples of repo jacking

CTX

A recent example of repository hijacking came in May 2022 in the form of Python package CTX, which had its repository hijacked on popular Python package hosting site PyPI. In this case, the original domain-hosting email for the owner account expired, leaving it open to a password reset and domain reregistration by a third party. It is unclear how much time elapsed between the account expiring and the successful hijacking attempt, but once the hijack was initiated, it took the attacker just 40 minutes to begin uploading malicious versions of the package, replacing the original versions.

This takeover went undiscovered for 10 days. During that time, malicious versions of CTX were downloaded over 27,000 times.

As for the malicious code, a section of code was added in the ctx.py file, which exfiltrated the environmental variables of a user and sent the data to an external endpoint, in this case a hosted Heroku server. The exfiltrated data potentially included sensitive user information, such as API keys and passwords, which were stored as environmental variables, making them easily accessible.

PyPI administrators moved quickly to suspend the hijacked account and remove all versions, malicious and original, of CTX, which at the time of this writing has not been reinstated.

This vulnerability was covered in Black Duck® Security Advisory BDSA-2022-1523.
 

PhPass

Similarly, PHP package PhPass, which is hosted on the Packagist PHP hosting platform and GitHub, was exploited in the same way in May 2022. The original owner’s account was deleted and reregistered by a bad actor, giving access to the original repository. Using this access, original package versions were replaced with malicious versions.

The malicious code contained in these replacement versions carried out the same action as the CTX takeover—extracting environmental variables to the very same endpoint.

As a solution to this issue, a forked repository was created containing the original, nonmalicious versions. To ensure no further downloads of versions on the malicious repo, Packagist rerouted the original download URL to the new fork.

This vulnerability was covered in Black Duck Security Advisory BDSA-2022-1526.
 

UAParser.js

A more extreme occurrence of repository hijacking occurred in October 2021, when popular JavaScript library UAParser.js, was weaponized through the takeover of the author’s npm account. The bad actor published three malicious versions, 0.7.29, 0.8.0, and 1.0.0. This quickly became a large-scale attack, as the package regularly receives between 8 to 9 million weekly downloads and is widely used across projects.

The code introduced in these malicious versions had particularly harmful impacts. Notably, on install, the code downloaded and execute binaries from a remote server. One such binary was cryptocurrency mining software, demonstrating the ability for a remote attacker to take control of the victim’s system. Another such binary, introduced only on Windows systems, was a trojan that exfiltrated sensitive information from the system.

Hours after the UAParser.js attack, the author of the package removed the compromised versions from npm and released three new versions (0.7.30, 0.8.1, and 1.0.1) to help mitigate automatic projected upgrades from retaining the malicious versions.

This vulnerability was covered in Black Duck Security Advisory BDSA-2021-3228.

Methods to protect your organization from repo jacking

As supply chain attacks are on the rise, so too are cases of repo hacking because it is often the first step in a supply chain attack. Taking over a repository can be a simple process but still lead to serious and harmful impacts. There are mitigations currently available and in the pipeline to address the rise in these kinds of attacks.

Multifactor authentication, commonly implemented as two-factor authentication (2FA) provides a second layer of security for access to accounts. In theory, it should prevent a bad actor from gaining access to an expired or deleted account. GitHub, one of the largest hosts, has announced that 2FA will be mandatory for all maintainer accounts from 2023 onward. This represents a large uptick in the adoption of 2FA, as currently only 16.5% of active GitHub users use 2FA. Popular JavaScript package manager npm, on the other hand, does not enforce and has not announced intentions to enforce 2FA—despite having 32% of the top 35 npm packages at risk of account takeover due to lack of 2FA, according to Aqua Security, Team Nautilus.

Domain takeovers are a common part of the supply chain in hijacking repositories, such as when a bad actor reregisters the expired domain of an email and uses the domain to request password resets. Repository hosting platforms can attempt to prevent this by pre-emptively removing or suspending accounts with near-expiry and expired domains. Cutting that link in the chain is an important step in blocking access to accounts that could be compromised. However, this would come at a greater maintenance and monitoring responsibility for hosting platforms.

Over the coming years and months, open source projects will continue to expand and increase in quantity, becoming even more dependency-based and vulnerable to hijacking. In parallel to this expansion, more owner and author accounts will become inactive and be deleted, thus opening further opportunities for bad actors to hijack repositories.

Though mitigation to prevent many of these vulnerabilities is possible, the current industry landscape shows a limited number of users opting-in to preventative technologies such as MFA. Mandatory enforcement of methods such as 2FA may be the way forward, as repository owners’ reluctance to employ it may be hampering efforts to reduce the impacts of repository hijacking.

How Black Duck Security Advisories can help

Black Duck Security Advisories (BDSAs) provide Black Duck customers with detailed information about vulnerabilities as they are disclosed, with accompanying alerts outlining vulnerable code and mitigations in used packages. Customers can use BDSAs to quickly mitigate new vulnerabilities and become informed on malicious developments in packages, such as repo jacking. BDSAs of hijacked packages detail vulnerable versions, critical information, and new developments, such as forked repositories.

Continue Reading

Explore Topics