Skip to content

Supply Chain

Supply Chain Attacks

GitHub repo-jacking

From: How to stay safe from repo-jacking - The GitHub Blog

Concept

GitHub were to change its account name to gh1. Then, a repository such as https://github.com/github/cmark-gfm would be renamed to https://github.com/gh/cmark-gfm. Now, imagine that an attacker manages to register a new GitHub account with the newly available username github. Then, they could create a repository named cmark-gfm and start serving malware to developers who are still downloading their software from the original address.

Targets

  1. You’re using GitHub Actions.
  2. You’re using the Go programming language.
  3. You’re using git submodules.