Supply Chain
Supply Chain Attacks
GitHub repo-jacking
From: How to stay safe from repo-jacking - The GitHub Blog
Concept
GitHub were to change its account name to gh
1. Then, a repository such as https://github.com/github/cmark-gfm would be renamed to https://github.com/gh/cmark-gfm. Now, imagine that an attacker manages to register a new GitHub account with the newly available username github
. Then, they could create a repository named cmark-gfm
and start serving malware to developers who are still downloading their software from the original address.
Targets
- You’re using GitHub Actions.
- You’re using the Go programming language.
- You’re using git submodules.