Thousands of Go module repositories on GitHub are vulnerable to attack

According to a new report from cybersecurity researchers at VulnCheck, there are more than 9,000 repositories vulnerable to repojacking because of GitHub username changes, and 6,000 repositories vulnerable due to account deletion. Together, they host at least 800,000 Go module-versions.

Remaining vigilant

Analysing the alert, The Hacker News said modules written in Go are “particularly susceptible” to repojacking because they are decentralized and get published to version control platforms like GitHub or BitBucket.

"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Jacob Baines, chief technology officer at VulnCheck, told the publication. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."

GitHub already tried to tackle this problem via a feature called “popular repository namespace retirement”. It prevents users from creating repositories with the names of retired namespaces that were cloned more than 100 times in the past. However, VulnCheck says the feature isn’t of much help as Go modules are cached by the module mirror, meaning there could be popular Go modules with fewer than 100 clones, and thus still susceptible to repojacking.

"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."

More from TechRadar Pro

• GitHub unveils Copilot Enterprise to transform your corporate codebase
• Here's a list of the best firewalls today
• These are the best endpoint protection software right now