On December 5th, 2023, it was reported that more than 15,000 Go module repositories on GitHub are vulnerable to a repojacking attack, a technique that allows a bad actor to take advantage of account username changes and deletions to create a repository with the same name to stage open-source software supply chain attacks.

Jacob Baines, chief technology officer at VulnCheck, stated that over 9,000 repositories are vulnerable to repojacking due to username changes and over 6,000 repositories were vulnerable due to account deletions, collectively accounting for at least 800,000 Go module versions.

The disclosure also revealed that millions of software repositories on GitHub are likely vulnerable to the threat, particularly Go programming language modules. GitHub has countermeasures in place to prevent such abuse, and it is important for developers to be aware of the modules they use and the state of the repository that the modules originated from.

Additionally, Lasso Security discovered 1,681 exposed API tokens on Hugging Face and GitHub, including those associated with major companies, that could be exploited for supply chain, training data poisoning, and model theft attacks.

To stay updated with exclusive content, follow The Hacker News on Twitter and LinkedIn.

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles