Explore a critical security vulnerability affecting over 70,000 open-source projects in this 25-minute conference talk from NorthSec 2021. Dive into 'repo jacking', an obscure supply chain vulnerability that allows attackers to hijack Github repositories and achieve remote code execution through dependency injection. Learn about the vulnerability's causes, exploitation methods, and why it has gone unnoticed for so long. Discover how to scan open-source projects for this vulnerability, build dependency graphs, and understand its full impact. Examine the prevalence of repo jacking across various project types, from small personal games to large web frameworks and cryptocurrency wallets. Gain insights into mitigation strategies to protect your projects from this and other supply chain attacks.
Repo Jacking - How Github Usernames Expose Projects to RCE
Overview
Syllabus
Intro
Open-source Supply Chain Attacks
Repo Jacking
Vulnerable Scenarios
Repository Redirects
GitHub's Response
Mass Analysis
Data Collection
Clean Up
Hijackable Usernames
Dependency Analysis
4. Directly Vulnerable Projects
Key Findings
Remediations
Taught by
NorthSec
