Repo Jacking: How Github usernames expose 70,000 open-source projects to remote code injection

Back to the list of Speakers and Sessions

Due to one small Github feature, some projects that depend directly on a Github repository are vulnerable to remote code injection. This talk will discuss novel research that was conducted to determine the prevalence of an obscure vulnerability related to Github project dependencies. The research demonstrates that this vulnerability, repo jacking, is exceedingly widespread and affects over 70,000 open-source projects. We will explain the vulnerability itself, what caused it and how to exploit it, as well as how we scanned a large percentage of open-source projects for this vulnerability. Finally, we will also discuss mitigations and how to protect yourself and your projects from it.

Does your project depend on a Github repository? It might become vulnerable to remote code injection simply due to one small Github feature. This talk will discuss ‘repo jacking’, an obscure supply chain vulnerability that allows attackers to hijack Github repositories and achieve remote code execution through dependency injection. This vulnerability has become exceedingly widespread in open-source projects and over 70,000 projects are affected. This vulnerability can affect any language and has been found to impact small personal games, huge web frameworks, cryptocurrency wallets, and everything in between. Come learn about this vulnerability, what causes it, why it has gone unnoticed for so long, and how to exploit it. Learn how you too can scan all open-source projects for this vulnerability, look for other similar vulnerabilities, and build dependency graphs to fully understand the impact of these types of issues. Finally, come hear about the outcome of this analysis, see how prevalent it is, who is impacted, and discuss some important mitigation strategies that you can use to protect your own projects from this, and other supply chain attacks.


Indiana Moreau Security Engineer, Security Innovation

Indiana is a security engineer at Security Innovation who specializes in testing web applications, APIs, and cloud configurations. He has a background in web development and previously worked in telecommunications and banking, performing penetration tests and security assessments. In his spare time, he works on personal coding projects and eats copious amounts of sushi.