blog.aquasec.com
Open in
urlscan Pro
2606:2c40::c73c:671c
Public Scan
Submitted URL: https://info.aquasec.com/e3t/Ctc/WX*113/cbBhS04/VVP1jl4zdFGJW79-HRY8ZYkZ4W4YmM-1507n7cN2K0T3G2-MK_V1-WJV7CgLQtW5MDZpW6qMS...
Effective URL: https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking?_hsmi=263719535&_...
Submission: On June 26 via manual from CA — Scanned from CA
Effective URL: https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking?_hsmi=263719535&_...
Submission: On June 26 via manual from CA — Scanned from CA
Form analysis 3 forms found in the DOM
GET https://blog.aquasec.com/hs-search-results
<form action="https://blog.aquasec.com/hs-search-results" method="GET">
<input type="text" class="navbar_search_input" name="term" autocomplete="off" placeholder="Enter a keyword to search the blog">
<input type="hidden" name="type" value="BLOG_POST">
<input type="hidden" name="length" value="SHORT">
<input type="submit" class="navbar_submit_button" value="Search">
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c
<form id="hsForm_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c"
class="hs-form-private hsForm_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c hs-form-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c hs-form-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_8a2549da-589f-40c0-a5bf-3f42626e54ad hs-form stacked"
target="target_iframe_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" data-instance-id="8a2549da-589f-40c0-a5bf-3f42626e54ad" data-form-id="bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c" data-portal-id="1665891">
<div class="hs_firstname hs-firstname hs-fieldtype-text field hs-form-field"><label id="label-firstname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your First Name"
for="firstname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>First Name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="firstname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" name="firstname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="given-name" value=""></div>
</div>
<div class="hs_lastname hs-lastname hs-fieldtype-text field hs-form-field"><label id="label-lastname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your Last Name"
for="lastname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>Last Name</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="lastname-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" name="lastname" placeholder="" type="text" class="hs-input" inputmode="text" autocomplete="family-name" value=""></div>
</div>
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your Email"
for="email-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_comment hs-comment hs-fieldtype-textarea field hs-form-field"><label id="label-comment-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your Comment"
for="comment-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>Comment</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><textarea id="comment-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="hs-input hs-fieldtype-textarea" name="comment" required="" placeholder=""></textarea></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your UTM_Source"
for="utm_source-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>UTM_Source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your UTM_Campaign"
for="utm_campaign-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>UTM_Campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your UTM_Medium"
for="utm_medium-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>UTM_Medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your UTM_Content"
for="utm_content-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>UTM_Content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your UTM_Term"
for="utm_term-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>UTM_Term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_gclid hs-gclid hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-gclid-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" class="" placeholder="Enter your GCLID"
for="gclid-bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398"><span>GCLID</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="gclid" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary" value="Submit Comment"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1687777945975","formDefinitionUpdatedAt":"1681717672680","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.133 Safari/537.36","pageTitle":"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking","pageUrl":"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking?_hsmi=263719535&_hsenc=p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE","pageId":"121518266040","urlParams":{"_hsmi":"263719535","_hsenc":"p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE"},"isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking","contentType":"blog-post","hutk":"f61505d58007ceff27ecf3d0e6b003b8","__hsfp":3485376358,"__hssc":"207889101.1.1687777946596","__hstc":"207889101.f61505d58007ceff27ecf3d0e6b003b8.1687777946595.1687777946595.1687777946595.1","formTarget":"#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c","formInstanceId":"5398","pageName":"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking","locale":"en","timestamp":1687777946617,"originalEmbedContext":{"portalId":"1665891","formId":"bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c","region":"na1","target":"#hs_form_target_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"5398","formsBaseUrl":"/_hcms/forms","css":"","submitButtonClass":"hs-button primary","isMobileResponsive":true,"pageName":"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking","pageId":"121518266040","contentType":"blog-post","isCMSModuleEmbed":true,"type":"BLOG_COMMENT"},"correlationId":"8a2549da-589f-40c0-a5bf-3f42626e54ad","renderedFieldsIds":["firstname","lastname","email","comment","utm_source","utm_campaign","utm_medium","utm_content","utm_term","gclid"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3339","sourceName":"forms-embed","sourceVersion":"1.3339","sourceVersionMajor":"1","sourceVersionMinor":"3339","_debug_allPageIds":{"embedContextPageId":"121518266040","analyticsPageId":"121518266040","pageContextPageId":"121518266040"},"_debug_embedLogLines":[{"clientTimestamp":1687777946078,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"getExtraMetaDataBeforeSubmit\"]"},{"clientTimestamp":1687777946078,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking\",\"pageUrl\":\"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking?_hsmi=263719535&_hsenc=p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.133 Safari/537.36\",\"urlParams\":{\"_hsmi\":\"263719535\",\"_hsenc\":\"p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE\"},\"pageId\":\"121518266040\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1687777946079,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"CA\""},{"clientTimestamp":1687777946611,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"f61505d58007ceff27ecf3d0e6b003b8\",\"canonicalUrl\":\"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking\",\"contentType\":\"blog-post\",\"pageId\":\"121518266040\"}"}]}"><iframe
name="target_iframe_bcc43e1c-30ef-4ea4-9582-44bff8d5ad4c_5398" style="display: none;"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/fc3a461b-474b-4bd2-b409-c41d4ec09d8a
<form id="hsForm_fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/1665891/fc3a461b-474b-4bd2-b409-c41d4ec09d8a"
class="hs-form-private hsForm_fc3a461b-474b-4bd2-b409-c41d4ec09d8a hs-form-fc3a461b-474b-4bd2-b409-c41d4ec09d8a hs-form-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_7b7ae841-4f14-454f-a9b1-6c6786d2acbb hs-form stacked"
target="target_iframe_fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" data-instance-id="7b7ae841-4f14-454f-a9b1-6c6786d2acbb" data-form-id="fc3a461b-474b-4bd2-b409-c41d4ec09d8a" data-portal-id="1665891">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your Email Address" for="email-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>Email
Address</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_blog_default_hubspot_blog_subscription hs-blog_default_hubspot_blog_subscription hs-fieldtype-radio field hs-form-field" style="display: none;"><label
id="label-blog_default_hubspot_blog_subscription-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your Notification Frequency"
for="blog_default_hubspot_blog_subscription-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>Notification Frequency</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="blog_default_hubspot_blog_subscription" class="hs-input" type="hidden" value="instant"></div>
</div>
<div class="hs_utm_source hs-utm_source hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_source-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your UTM_Source"
for="utm_source-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>UTM_Source</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_source" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_campaign hs-utm_campaign hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_campaign-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your UTM_Campaign"
for="utm_campaign-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>UTM_Campaign</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_campaign" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_medium hs-utm_medium hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_medium-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your UTM_Medium"
for="utm_medium-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>UTM_Medium</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_medium" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_content hs-utm_content hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_content-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your UTM_Content"
for="utm_content-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>UTM_Content</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_content" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_utm_term hs-utm_term hs-fieldtype-text field hs-form-field" style="display: none;"><label id="label-utm_term-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" class="" placeholder="Enter your UTM_Term"
for="utm_term-fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769"><span>UTM_Term</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input name="utm_term" class="hs-input" type="hidden" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Subscribe"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1687777945965","formDefinitionUpdatedAt":"1669751364161","renderRawHtml":"true","isLegacyThemeAllowed":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.133 Safari/537.36","pageTitle":"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking","pageUrl":"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking?_hsmi=263719535&_hsenc=p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE","pageId":"121518266040","urlParams":{"_hsmi":"263719535","_hsenc":"p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE"},"isHubSpotCmsGeneratedPage":true,"canonicalUrl":"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking","contentType":"blog-post","hutk":"f61505d58007ceff27ecf3d0e6b003b8","__hsfp":3485376358,"__hssc":"207889101.1.1687777946596","__hstc":"207889101.f61505d58007ceff27ecf3d0e6b003b8.1687777946595.1687777946595.1687777946595.1","formTarget":"#hs_form_target_module_14538258496742317_4769","formInstanceId":"4769","pageName":"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking","locale":"en","timestamp":1687777946610,"originalEmbedContext":{"portalId":"1665891","formId":"fc3a461b-474b-4bd2-b409-c41d4ec09d8a","region":"na1","target":"#hs_form_target_module_14538258496742317_4769","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"4769","formsBaseUrl":"/_hcms/forms","css":"","inlineMessage":"Thanks for Subscribing!","isMobileResponsive":true,"pageName":"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking","pageId":"121518266040","contentType":"blog-post","formData":{"cssClass":"hs-form stacked"},"isCMSModuleEmbed":true},"correlationId":"7b7ae841-4f14-454f-a9b1-6c6786d2acbb","renderedFieldsIds":["email","blog_default_hubspot_blog_subscription","utm_source","utm_campaign","utm_medium","utm_content","utm_term"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.3339","sourceName":"forms-embed","sourceVersion":"1.3339","sourceVersionMajor":"1","sourceVersionMinor":"3339","_debug_allPageIds":{"embedContextPageId":"121518266040","analyticsPageId":"121518266040","pageContextPageId":"121518266040"},"_debug_embedLogLines":[{"clientTimestamp":1687777946039,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking\",\"pageUrl\":\"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking?_hsmi=263719535&_hsenc=p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.133 Safari/537.36\",\"urlParams\":{\"_hsmi\":\"263719535\",\"_hsenc\":\"p2ANqtz-8bBbdCyRXAeIx9R6T6T5Q5JPHH4r1jvKIZVay5Da5MDsPq5-nAIQ6IxyoLQ59FhL7ylJLG0US9YKmEMmLa0cRA1WmF0MIEIQDXw7nHm46MT4Xz-oE\"},\"pageId\":\"121518266040\",\"isHubSpotCmsGeneratedPage\":true}"},{"clientTimestamp":1687777946041,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"CA\""},{"clientTimestamp":1687777946604,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"f61505d58007ceff27ecf3d0e6b003b8\",\"canonicalUrl\":\"https://blog.aquasec.com/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking\",\"contentType\":\"blog-post\",\"pageId\":\"121518266040\"}"}]}"><iframe
name="target_iframe_fc3a461b-474b-4bd2-b409-c41d4ec09d8a_4769" style="display: none;"></iframe>
</form>Text Content
Aqua uses website cookies to give visitors a better service. To find out more
about the cookies we use, see our Privacy Policy
Accept Decline
Aqua Security
* Products
* Solutions
* Resources
* Company
Search Sign In Try Aqua
Aqua Blog
Ilay Goldman Yakir Kadkoda
June 21, 2023
GITHUB DATASET RESEARCH REVEALS MILLIONS POTENTIALLY VULNERABLE TO REPOJACKING
Millions of GitHub repositories are potentially vulnerable to RepoJacking. New
research by Aqua Nautilus sheds light on the extent of RepoJacking, which if
exploited may lead to code execution on organizations’ internal environments or
on their customers’ environments. As part of our research, we found an enormous
source of data that allowed us to sample a dataset and find some highly popular
targets.
Among the repositories found vulnerable to this attack we discovered
organizations such as Google, Lyft and some that requested to remain anonymous.
All were notified of this vulnerability and promptly mitigated the risks. In
this blog we will show how an attacker can exploit this at scale and share the
PoC we ran on popular repositories.
In contrast to past studies, our research emphasizes the security implications
and severity of this database if exploited by attackers. Many of whom can find
within it numerous high-quality targets susceptible to RepoJacking. In this blog
we delve deeper into the exploitation scenarios of this attack and provide
illustrations of each scenario using real-life examples.
WHAT IS REPOJACKING?
To read more, you can find additional information in Appendix A.
REPOJACKING RESTRICTIONS AND BYPASSES:
There are some restrictions about the capability of the attacker of opening the
old repository name (the restrictions are called retired names). However, they
are applied only on popular repositories that were popular before the rename,
and recently researchers found many bypasses to these restrictions allowing
attackers to open any repository they want.
If you want to read more about the restrictions and bypasses, you can find
information in the Appendix B.
As we learned from these bypasses, organizations should not depend on the
retired names as a security mechanism, so in this research a vulnerable
repository is a repository that gets redirected, and the organization name does
not exist.
ARE YOU EXPOSED TO REPOJACKING?
You may ask yourself; do I own repositories that are directly or indirectly
vulnerable to RepoJacking?
The quick answer is that the possibilities of exposure are endless. There are a
few basic questions you should ask if you think you may be exposed.
* What do you know about your organization?
* What are all the GitHub organization names you used before?
* Were there any mergers and acquisitions your organization was involved in?
* Are there any dependencies in my code that lead to a GitHub repository
vulnerable to RepoJacking?
* Is there guidance somewhere (documentation, guides, Stack Overflow answer
etc) that suggests you should use a GitHub repository vulnerable to
RepoJacking?
As said above, the possibilities of exposure are endless, and depending on the
answers to any of these questions you may find your organization is vulnerable.
COMPILING A DATASET FOR OUR RESEARCH
Attackers don’t need to do all this hard work. They aren’t bound to a specific
organization. They can scan the internet and find any victim they’d like and if
they sense there’s profit behind the attack, they will continue until they
maximize their gain. Websites such as the GHTorrent project provide amazing
invaluable data.
The GHTorrent project records any public event (commit, PR, etc.) that happens
on Github and saves it in a database. Anyone can download a database dump of a
specific timeframe. By utilizing this dataset, malicious actors can uncover the
historical names of various organizations and broaden their potential attack
surface.
In the image below you can see how easy it is to find a specific timeframe and
download it.
Essentially, the entire history of usernames and organizations' names on GitHub
since 2012 is easily accessible to anyone.
It’s important to note that during the research the website ghtorrent.org was
available. However, currently it is not online, but the dataset still exists in
http://ghtorrent-downloads.ewi.tudelft.nl/mysql.
Our research started from a data sample we found on this website. We downloaded
all the logs from a random month (June 2019) and compiled a list of 125 million
unique repositories’ names. Next, we sampled 1% (1.25 million repositories’
names) and checked each one to see if it was vulnerable to RepoJacking.
We found that 36,983 repositories were vulnerable to RepoJacking! That is 2.95%
success rate. If we extrapolate the result we found on this sample, to the
entire GitHub repositories’ base (over 300 million repositories according to
GitHub publications), there are potentially millions of vulnerable
repositories!
EXPLOITATION SCENARIOS
Now that we know how widespread RepoJacking is, the remaining question is how
can an attacker actually exploit a vulnerable repository?
The attacker can exploit it when there is a reference somewhere in the public
internet to the previous name of the repository.
We divided the exploitation scenarios into 2 categories:
1. An automated download from a RepoJacking vulnerable repository is when the
user doesn’t willingly or knowingly download any resources from another
GitHub repository. An example to that is when another project is using a
component that is stored on a RepoJacking vulnerable GitHub repository. It
can be by downloading a resource or a module (for example go, swift).
2. While a manual download from a RepoJacking vulnerable repository is when the
user actively inserts the link to the RepoJackable repository. One example
of this is when a link appears in an official installation guide. It can be
under the vulnerable repository README.md, or in the organization’s website.
Another example to that is when a link that appears somewhere across the
internet. For instance, Stack Overflow, a blog, Reddit etc.
Below are 3 real life examples of vulnerable repositories:
1. Code Execution via installation scripts (automated)
2. Code Execution via Readme/Build instructions (manual)
3. Code Execution via repository releases (manual)
CODE EXECUTION VIA INSTALLATION SCRIPTS:
In the image below you can see a screenshot from GitHub of the script install.sh
from Lyft’s repository. This script is designed to download a zip from the
repository https://github.com/YesGraph/Dominus which is vulnerable to
RepoJacking! The script extracts a compressed file and executes the extracted
shell script.
This means that a user who uses the install.sh script in Lyft’s repository will
unknowingly fetch a file and run it from another repository. This code is fine
as long as the redirection between the new and the old repositories works.
However, the old repository is susceptible to RepoJacking. An attacker can
easily open the organization YesGraph which is available (in the image below you
can see that we control it) and create the repository Dominus.
Once this is done the redirection, between the new and the old repository, will
no longer exist and the zip file will be downloaded from a repository controlled
by the attacker. This leads to arbitrary code execution on the original
repository users.
We responsibly disclosed our finding to Lyft, which replied that the repository
was not currently in use. Additionally, they deprecated the repository within 2
days of the initial report.
CODE EXECUTION VIA README/BUILD INSTRUCTIONS
Another example we found of a RepoJacking vulnerable repository was found in a
Google repository.
In this repository we found a manual – “official installation guide”
exploitation type. Specifically, when reading the README.md instructions in this
repository you see instructions to clone a project from another GitHub account.
As you can see the instructions guide to clone the project from the Socraticorg
(‘https://github.com/socraticorg/mathsteps’) organization rather than the Google
(‘https://github.com/google/mathsteps’) organization. A quick Google search
reveals that Socratic Org is a subsidiary of Google. (They were founded in 2013,
launched their app in 2016 under this name, and acquired by Google on 2018)
When you access https://github.com/socraticorg/mathsteps, you are being
redirected to https://github.com/google/mathsteps so eventually the user will
fetch Google’s repository. However, because the socraticorg organization was
available, an attacker could open the socraticorg/mathsteps repository and users
following Google’s instructions will clone the attacker’s repository instead.
And because of the npm install this will lead to arbitrary code execution on the
users.
We disclosed our findings to Google, which fixed the issue.
CODE EXECUTION VIA REPOSITORY RELEASES:
In this example we will show how RepoJacking can affect the releases in GitHub.
Here we can see the README instructs us to download the extension.vsix file,
which is a Visual Studio Code extension, from the GitHub releases of this
repository.
This link is vulnerable to RepoJacking (old_org is available for the attacker).
As a result, when a user accesses this URL there won’t be a HTTP redirect and
the user will download the attacker’s VSCode extension instead.
If you want to learn more about the dangers of installing malicious VSCode
extensions, you can read our blog regarding malicious VSCode extensions.
Actually, this repository is what leads us to research the dangers of installing
a malicious VSCode extension and the flaws of the marketplace.
THE POC
To put theory into practice we created a PoC to illustrate how RepoJacking
really works. We ran a PoC on several repositories that belong to popular
organizations. We gathered basic metadata such as hostname, IP address, and DNS
name servers to see who downloaded artifacts from the vulnerable repositories.
Our PoC was triggered a few times leading to code execution on environments
related to some big companies. Below you can see an example of such a PoC test
executed.
In the screenshot above you can see the information of the user that downloaded
the PoC. His username(blurred), installation directory, DNS servers (some
blurred) and home directory (blurred)
SUMMARY AND MITIGATIONS
Our goal of this blog was to shed light on the widespread nature of RepoJacking
and the potential risks it poses to organizations and their users. We showed our
analysis of a subset of the database of the GHTorrent Project, which showed the
potential risk to many organizations. Additionally, we presented various
exploitation scenarios and provided real-life examples of repositories
vulnerable to these scenarios.
To mitigate the risk, we recommend taking the following steps:
* Regularly check your repositories for any links that may fetch resources from
external GitHub repositories, as references to projects like Go module can
change its name anytime.
* If you change your organization name, ensure that you still own the previous
name as well, even as a placeholder, to prevent attackers from creating it.
It's important to note that our analysis only covered a fraction of the
available data, meaning that there are many more vulnerable organizations,
potentially including yours.
Subscribe for Security Alerts
Learn about discovered new vulnerabilities, threats, and attacks that target
containers, Kubernetes, serverless, and public cloud infrastructure
Thanks! Stay tuned for updates
Appendix A:
WHAT IS REPOJACKING?
GitHub RepoJacking (also known as dependency repository hijacking) is a type of
supply chain attack that allows attackers to takeover GitHub projects’
dependencies or an entire project to run malicious code on whoever uses these
projects.
RepoJacking can occur when a GitHub user/organization changes its name. To avoid
breaking code dependencies in GitHub create a link between the older name to the
new name (redirect the old name to the new one). So, if my code is designed to
use dependencies from another GitHub project (or the entire project) which is at
‘github.com/username_A/repo_A’ and the owner has changed the account’s name to
‘github.com/username _B/repo_A’, GitHub created a feature that links the
dependencies to the new account (‘github.com/username _B/repo_A’) even if your
code still points to ‘github.com/username _A/repo_A’.
So far, this is ideal for developers. Nevertheless, the old username becomes
available, and anyone can use it. Once someone creates both ‘username_A’ and the
repository ‘repo_A’, the link which we described above breaks and any project
that relied on ‘github.com/username_A/repo_A’, once again downloads dependencies
from that repository, which is now owned and controlled by someone else.
Attackers are aware of that and actively exploit this to conduct supply chain
attacks.
We can suggest two plausible RepoJacking scenarios:
Username renamed: When a repository owner changes their username, a link is
created between the old name and the new name for anyone who downloads
dependencies from the old repository. However, it is possible for anyone to
create the old username and break this link.
Mergers and Acquisitions: In this scenario, the repository ownership is
transferred to another user due to mergers or acquisitions, and the original
account is deleted. Anyone who downloads dependencies from the old repository
will be redirected to the new account. Nevertheless, it is still possible for
anyone to create the old username and disrupt this link.
Appendix B:
REPOJACKING RESTRICTIONS AND BYPASSES:
Although GitHub has made attempts to block RepoJacking over the years, there are
still some issues with these protections. They remain incomplete and can be
bypassed by attackers.
One example of these protections being incomplete is GitHub's initiation of
protection for repositories with a high volume of cloning (more than 100 clones
in the week before the organization name was changed, as mentioned in GitHub's
documentation). However, this protection does not cover repositories that were
not popular in the past but gained popularity after the ownership was
transferred to large organizations.
Additionally, big organizations may utilize the vulnerable project affected by
RepoJacking as a dependency in other projects, potentially leading to a supply
chain attack on a highly popular project with many stars, even though the
vulnerable repository itself may have a lower number of stars.
Furthermore, even if the repository was initially protected by GitHub, attackers
have found ways to circumvent these protections. One such instance was recently
discovered by Checkmarx.
ILAY GOLDMAN
Ilay is a Security Researcher at Aqua. As part of Team Nautilus, he discovers
different techniques of supply chain attacks and finds vulnerabilities and
attack vectors in cloud native environments. Before Aqua, he worked as a red
teamer. In his free time, he enjoys cooking, doing sports and listening to
music.
YAKIR KADKODA
Yakir is a Security Researcher at Aqua Nautilus, Aqua’s research team. He
focuses on finding and researching new vulnerabilities and attack vectors in
cloud native environments. Prior to Aqua, he worked as a red teamer. When he is
not at work, he enjoys baking and cooking and is particularly interested in the
science of cooking.
READ MORE
First Name
Last Name
Email*
Comment*
UTM_Source
UTM_Campaign
UTM_Medium
UTM_Content
UTM_Term
GCLID
SUBSCRIBE TO EMAIL UPDATES
Email Address*
Notification Frequency
UTM_Source
UTM_Campaign
UTM_Medium
UTM_Content
UTM_Term
POPULAR POSTS
* A Brief History of Containers: From the 1970s Till Now
* Top 20 Docker Security Best Practices: Ultimate Guide
* Protecting Kubernetes Secrets: A Practical Guide
* Which Kubernetes Management Platform is Right for You?
* Threat Alert: Kinsing Malware Attacks Targeting Container Environments
FILTER BY TOPIC
* Container Security (110)
* Kubernetes Security (92)
* Cloud Native Security (81)
* Security Threats (77)
* Image Vulnerability Scanning (49)
* Aqua Open Source (47)
* AWS Security (35)
* Docker Security (35)
* Runtime Security (35)
* Vulnerability Management (34)
* Cloud compliance (24)
* Container Vulnerability (24)
* Software Supply Chain Security (24)
* CSPM (23)
* DevSecOps (23)
* CI/CD (16)
* Aqua Security (15)
* CNAPP (14)
* Secrets (12)
* Application Security (11)
* Serverless-Security (11)
* Supply Chain Attacks (11)
* ebpf (10)
* Host Security (9)
* Advanced malware protection (8)
* Cloud security conferences (8)
* Fargate (8)
* Cloud Workload Protection Platform CWPP (7)
* Hybrid Cloud Security (7)
* Kubernetes (7)
* Attack Vector (6)
* Container platforms (6)
* Google cloud security (6)
* Malware Attacks (6)
* OpenShift (6)
* SBOMs (6)
* Secure VM (6)
* Security Policy (6)
* Infrastructure-as-Code (IaC) (5)
* Security Automation (5)
* Windows Containers (5)
* Azure security (4)
* Cloud security (4)
* Docker containers (4)
* Kubernetes RBAC (4)
* Service Mesh (4)
* Container Deployment (3)
* IBM Cloud (3)
* Microservices (3)
* Nano-Segmentation (3)
* Agentless Security (2)
* FaaS (2)
* Network Firewall (2)
* VMware Tanzu (2)
* code security (2)
* Advanced Threat Mitigation (1)
* Cloud VM (1)
* Drift Prevention (1)
* Kubernetes Authorization (1)
* Network (1)
* shift Left security (1)
Show more...
Aqua Container Security
Aqua Security is the largest pure-play cloud native security company, providing
customers the freedom to innovate and accelerate their digital transformations.
The Aqua Platform is the leading Cloud Native Application Protection Platform
(CNAPP) and provides prevention, detection, and response automation across the
entire application lifecycle to secure the supply chain, secure cloud
infrastructure and secure running workloads wherever they are deployed.
Aqua customers are among the world’s largest enterprises in financial services,
software, media, manufacturing and retail, with implementations across a broad
range of cloud providers and modern technology stacks spanning containers,
serverless functions and cloud VMs.
Copyright © 2023 Aqua Security Software Ltd.
Use Cases
* Automate DevSecOps
* Modernize Security
* Compliance and Auditing
* Serverless Containers & Functions
* Hybrid and Multi Cloud
Environments
* Kubernetes Security
* OpenShift Security
* Docker Security
* AWS Cloud Security
* Azure Cloud Security
* Google Cloud Security
* VMware PKS Security
Contact Us
* Contact Us
* Contact Support
Products
* Aqua Cloud native security
* Open Source Container Security
* Platform Integrations
Resources
* Live Webinars
* O’Reilly Book: Kubernetes Security
* Cloud native Wiki
About Us
* About Aqua
* Newsroom
* Careers
The Agent vs Agentless Debate is Over!
Read More
Subscribe to the blog
Get the latest cloud native insights from our experts!
email address
Sign Up
Thank you!