GitHub上1.5万个Go模块存储库容易受到Repojacking攻击

New research has found that over 15,000 Go module repositories on GitHub are vulnerable to an attack called repojacking.

新的研究发现，GitHub上的超过15,000个Go模块存储库容易受到一种名为repojacking的攻击。

"More than 9,000 repositories are vulnerable to repojacking due to GitHub username changes," Jacob Baines, chief technology officer at VulnCheck, said in a report shared with The Hacker News. "More than 6,000 repositories were vulnerable to repojacking due to account deletion."

“由于GitHub用户名更改，超过9,000个存储库容易受到repojacking攻击，”VulnCheck首席技术官Jacob Baines在与《黑客新闻》分享的报告中说。他说：“由于帐户删除，超过6,000个存储库容易受到repojacking攻击。”

Collectively, these repositories account for no less than 800,000 Go module-versions.

这些存储库总共占据了不少于800,000个Go模块版本。

Repojacking, a portmanteau of "repository" and "hijacking," is an attack technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name and the pre-existing username to stage open-source software supply chain attacks.

repojacking是“存储库”和“劫持”的合成词，是一种攻击技术，允许恶意用户利用帐户用户名更改和删除来创建与现有用户名相同的存储库，以进行开源软件供应链攻击。

Earlier this June, cloud security firm Aqua revealed that millions of software repositories on GitHub are likely vulnerable to the threat, urging organizations that undergo name changes to ensure that they still own their previous name as placeholders to prevent such abuse.

今年6月早些时候，云安全公司Aqua透露，GitHub上数百万软件存储库可能容易受到这种威胁的影响，并敦促经历名称更改的组织确保他们仍然拥有他们以前的名称作为占位符，以防止这种滥用。

Modules written in the Go programming language are particularly susceptible to repojacking, as unlike other package manager solutions such as npm or PyPI, they are decentralized due to the fact that they get published to version control platforms like GitHub or Bitbucket.

用Go编程语言编写的模块特别容易受到repojacking的影响，因为与npm或PyPI等其他软件包管理器解决方案不同，它们由于被发布到GitHub或Bitbucket等版本控制平台而是去中心化的。

"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details," Baines said. "An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev."

“任何人随后都可以指示Go模块镜像和pkg.go.dev缓存模块的详细信息，” Baines说。“攻击者可以注册新未使用的用户名，复制模块存储库，并将新模块发布到proxy.golang.org和go.pkg.dev。”

To prevent developers from pulling down potentially unsafe packages, GitHub has in place a countermeasure called popular repository namespace retirement that blocks attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners' accounts being renamed or deleted.

为防止开发人员下载潜在不安全的软件包，GitHub实施了一个叫做popular repository namespace retirement的对策，阻止试图创建已经被克隆超过100次的退休命名空间的存储库。

But VulnCheck noted that this protection isn't helpful when it comes to Go modules as they are cached by the module mirror, thereby obviating the need for interacting with or cloning a repository. In other words, there could be popular Go-based module repositories that have been cloned less than 100 times, resulting in a bypass of sorts.

但VulnCheck指出，当涉及到Go模块时，这种保护措施对于与模块镜像进行缓存的模块并不起作用，从而无需与存储库进行交互或克隆。换句话说，可能有一些受欢迎的基于Go的模块存储库被克隆的次数少于100次，从而导致某种方式的绕过。”

"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on," Baines said. "A third-party can't reasonably register 15,000 GitHub accounts. Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from."

“不幸的是，解决所有这些repojacking的问题是Go或GitHub将不得不承担的责任，” Baines说。“第三方无法合理地注册15,000个GitHub帐户。在那之前，Go开发人员了解他们所使用的模块以及模块来源存储库的状态至关重要。”

The disclosure also comes as Lasso Security said it discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with Google, Meta, Microsoft, and VMware, that could be potentially exploited to stage supply chain, training data poisoning, and model theft attacks.

披露同时也是因为Lasso Security表示，他们发现了1,681个在Hugging Face和GitHub上公开的API令牌，其中包括与谷歌、Meta、微软和VMware相关的令牌，这些令牌有可能被利用来进行供应链、训练数据污染和模型窃取攻击。

原文始发于微信公众号（知机安全）：GitHub上1.5万个Go模块存储库容易受到Repojacking攻击