15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack

Cyber Security Threat Summary:
A new report by VulnCheck indicates that over 15,000 Go module repositories on GitHub are vulnerable to Repojacking attacks. In such attacks, actors take advantage of GitHub username changes and account deletions to create a repository with the same name and the pre-existing username to trick unsuspecting users. Unlike other package manager solutions like npm or PyPI which require developers to create accounts to upload their packages, the Go module ecosystem is decentralized making it more susceptible to Repojacking, allowing actors easily to conduct software supply chain attacks.

Security Officer Comments:
GitHub has a feature called ‘popular repository namespace retirement’ which is designed to block attempts to create repositories with the names of retired namespaces that have been cloned more than 100 times prior to the owners' accounts being renamed or deleted. However, some popular Go-based modules could be cloned less than 100 times, allowing actors to bypass this defense. With 15,000 Go module repositories on GitHub, this leaves ample opportunity for actors to launch successful Repojacking attacks.

Suggested Correction(s):
Developers should be more careful about the modules they use by verifying their authenticity and origin. Before deleting an account, owners should also consider archiving associated repositories. This will help maintain a history of the repository, allowing developers to identify suspicious activity, in the event of a repojacking attack.