Dark Mode
Capec-695 Detail
Repo Jacking
Detailed Social Engineering Supply Chain Communications Software Hardware Likelihood: Medium Typical Severity: High
Parents: 616
An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.
Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts.
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-695 | capec | https://capec.mitre.org/data/definitions/695.html | |
| CWE-494 | cwe | http://cwe.mitre.org/data/definitions/494.html | |
| CWE-829 | cwe | http://cwe.mitre.org/data/definitions/829.html | |
| T1195.001 | ATTACK | https://attack.mitre.org/wiki/Technique/T1195/001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools |
| REF-722 | reference_from_CAPEC | https://www.concretecms.org/about/project-news/security/supply-chain-hack-phpass-repo-jacking | Indiana Moreau, Repo Jacking: Exploiting the Dependency Supply Chain, 2020--10---22, Security Innovation |
| REF-732 | reference_from_CAPEC | https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-repo-jacking/ | Theo Burton, CyRC Vulnerability Analysis: Repo jacking in the software supply chain, 2022--08---02, Synopsys |
| REF-733 | reference_from_CAPEC | https://checkmarx.com/blog/attacker-caught-hijacking-packages-using-multiple-techniques-to-steal-aws-credentials/ | Jossef Harush, Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials, 2022--05---25, Checkmarx |
| REF-734 | reference_from_CAPEC | https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wild-by-attackers/ | Jossef Harush, GitHub RepoJacking Weakness Exploited in the Wild by Attackers, 2022--05---27, Checkmarx |
Explore
-
Identify target: The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.
Experiment
-
Recreate initial repository path: The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.
Exploit
-
Exploit victims: The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.
- Identification of a popular repository that may be directly referenced in numerous software applications
- A repository owner/maintainer who has recently changed their username or deleted their account
Not present
| Low |
|---|
| Ability to create malware that can exploit various software applications. |
| Integrity | Authorization | Access Control |
|---|---|---|
| Read Data | Execute Unauthorized Commands | Execute Unauthorized Commands |
| Modify Data | Alter Execution Logic | Alter Execution Logic |
| Gain Privileges | Gain Privileges |
- In May 2022, the CTX Python package and PhPass PHP package were both exploited by the same adversary via Repo Jacking attacks. For the CTX package, the adversary performed an account takeover via a password reset, due to an expired domain-hosting email. The attack on PhPass entailed bypassing GitHub's authentication for retired repositories. In both cases, sensitive data in the form of API keys and passwords, each stored in the form of environment variables, were exfiltrated. [REF-732] [REF-733]
- In October 2021, the popular JavaScript library UAParser.js was exploited via the takeover of the author's Node Package Manager (NPM) account. The adversary-provided malware downloaded and executed binaries from a remote server to conduct crypto-mining and to exfiltrate sensitive data on Windows systems. This was a wide-scale attack as the package receives 8 to 9 million downloads per week. [REF-732]