Go has always been highly susceptible to supply chain attacks through repojacking/typosquatting etc. Still better than npm/pypi but Rust/Java/Maven do it way better

Over 300,000 Prometheus servers and exporters are exposed to the internet without authentication, posing significant security risks, including information disclosure, DoS attacks, and remote code execution through "RepoJacking" vulnerabilities ➤ ku.bz/kfm9gDp_x

Over 300,000 Prometheus servers and exporters are exposed to the internet without authentication, posing significant security risks, including information disclosure, DoS attacks, and remote code execution through "RepoJacking" vulnerabilities ➜ ku.bz/kfm9gDp_x

🚨 Investigadores de Wiz descubren una vulnerabilidad crítica en GitHub que permitía acceso no autorizado a repositorios privados, potencialmente afectando a millones de usuarios y organizaciones. #CiberseguridadGitHub #SegurityBreach 👇👇 𝗥𝗘𝗦𝗨𝗠𝗘𝗡 𝗗𝗘𝗧𝗔𝗟𝗟𝗔𝗗𝗢: 𝗗𝗘𝗦𝗖𝗨𝗕𝗥𝗜𝗠𝗜𝗘𝗡𝗧𝗢 𝗗𝗘 𝗟𝗔 𝗩𝗨𝗟𝗡𝗘𝗥𝗔𝗕𝗜𝗟𝗜𝗗𝗔𝗗 Los investigadores de seguridad de @wiz_io han descubierto una vulnerabilidad crítica en @github que podría haber permitido a los atacantes acceder a repositorios privados sin autorización. Esta falla, denominada "RepoJacking", explotaba una debilidad en el proceso de cambio de nombre de las cuentas de GitHub. 𝗠𝗘𝗖𝗔𝗡𝗜𝗦𝗠𝗢 𝗗𝗘 𝗟𝗔 𝗩𝗨𝗟𝗡𝗘𝗥𝗔𝗕𝗜𝗟𝗜𝗗𝗔𝗗 1. Un atacante podía crear una cuenta con el nombre de usuario de una organización que hubiera cambiado recientemente su nombre. 2. GitHub automáticamente redirigía las solicitudes al nuevo nombre de la organización. 3. Sin embargo, las ACL (Listas de Control de Acceso) seguían vinculadas al nombre anterior. 4. Esto permitía al atacante acceder a los repositorios privados de la organización original. 𝗜𝗠𝗣𝗔𝗖𝗧𝗢 𝗬 𝗔𝗟𝗖𝗔𝗡𝗖𝗘 La vulnerabilidad afectaba potencialmente a 𝐦𝐢𝐥𝐥𝐨𝐧𝐞𝐬 𝐝𝐞 𝐮𝐬𝐮𝐚𝐫𝐢𝐨𝐬 𝐲 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐜𝐢𝐨𝐧𝐞𝐬 que utilizan GitHub. Los investigadores de Wiz pudieron acceder a repositorios privados de empresas importantes, incluyendo: - @Microsoft - @Apple - @Amazon - @Netflix - @Shopify Además, se detectó que más de 𝟏𝟎𝟎.𝟎𝟎𝟎 𝐨𝐫𝐠𝐚𝐧𝐢𝐳𝐚𝐜𝐢𝐨𝐧𝐞𝐬 habían cambiado sus nombres en GitHub en los últimos 18 meses, lo que las hacía potencialmente vulnerables. 𝗥𝗘𝗦𝗣𝗨𝗘𝗦𝗧𝗔 𝗗𝗘 𝗚𝗜𝗧𝗛𝗨𝗕 GitHub respondió rápidamente al informe de Wiz: 1. Corrigió la vulnerabilidad en menos de 6 horas. 2. Implementó medidas para prevenir futuros abusos. 3. Realizó una auditoría exhaustiva para asegurar que no hubo explotación maliciosa. 𝗜𝗠𝗣𝗟𝗜𝗖𝗔𝗖𝗜𝗢𝗡𝗘𝗦 𝗣𝗔𝗥𝗔 𝗟𝗔 𝗦𝗘𝗚𝗨𝗥𝗜𝗗𝗔𝗗 𝗗𝗘 𝗟𝗔 𝗖𝗔𝗗𝗘𝗡𝗔 𝗗𝗘 𝗦𝗨𝗠𝗜𝗡𝗜𝗦𝗧𝗥𝗢 Este incidente subraya la importancia de la seguridad en la cadena de suministro de software. Un ataque exitoso podría haber comprometido: - Código fuente confidencial - Secretos y tokens de acceso - Información sensible de clientes y usuarios 𝗥𝗘𝗖𝗢𝗠𝗘𝗡𝗗𝗔𝗖𝗜𝗢𝗡𝗘𝗦 𝗗𝗘 𝗦𝗘𝗚𝗨𝗥𝗜𝗗𝗔𝗗 Los expertos de Wiz y la comunidad de ciberseguridad recomiendan: 1. Implementar autenticación de dos factores (2FA) en todas las cuentas. 2. Revisar regularmente los permisos de acceso a repositorios. 3. Utilizar herramientas de escaneo de secretos para evitar la exposición de información sensible. 4. Mantener actualizadas todas las dependencias y paquetes de software. 𝗖𝗢𝗡𝗖𝗟𝗨𝗦𝗜𝗢𝗡𝗘𝗦 El descubrimiento de esta vulnerabilidad resalta la necesidad de una vigilancia constante en la seguridad de las plataformas de desarrollo colaborativo. La rápida respuesta de GitHub demuestra la importancia de la colaboración entre investigadores de seguridad y empresas tecnológicas. Este incidente sirve como recordatorio de que incluso las plataformas más utilizadas y confiables pueden tener vulnerabilidades ocultas. La comunidad de desarrollo debe mantenerse alerta y adoptar prácticas de seguridad robustas para proteger sus activos digitales. #GitHub #Ciberseguridad #VulnerabilidadSoftware #SeguridadIT

🚨 New Writeup Alert! 🚨 "More than 1,000 GitHub repositories at risk: how to detect RepoJacking vulnerabilities" by Denis Makrushin is now live on IW! Check it out here: infosecwriteups.com/58cd888b… #applicationsecurity #devops #threatintelligence #devsecops #cybersecurity

336K Prometheus Instances Exposed to DoS, 'Repojacking': bit.ly/4iBiZNI by Nate Nelson

New research from Aqua Nautilus uncovers critical vulnerabilities in the #Prometheus ecosystem: 🔓 Sensitive data exposure: Credentials and API keys left unprotected. 🛑 Denial-of-Service (DoS): Debugging endpoints exploited to crash servers and Kubernetes pods. 🖥️ Remote code execution: RepoJacking risks from abandoned GitHub repositories. With over 336,000 Prometheus servers and exporters exposed to the internet, attackers can exploit these flaws to target organizations. aquasec.com/blog/300000-prom…

Une menace pesant sur les repository open source est récemment apparue, le #RepoJacking. En accédant au compte, un hacker peut injecter du code malveillant dans des projets qui utilisent ce dépôt #Git comme dépendance. Point sur cette menace. buff.ly/3Mr7TfE

Your #code might be more vulnerable than you think. 😱 #RepoJacking is a powerful, yet widely unknown threat to your software supply chain. Learn how this attack works and how to defend against it in our latest blog post. snyk.co/uhgye

Your #code might be more vulnerable than you think. 😱 #RepoJacking is a powerful, yet widely unknown threat to your software supply chain. Learn how this attack works and how to defend against it in our latest blog post. snyk.co/uhgye

Your #code might be more vulnerable than you think. 😱 #RepoJacking is a powerful, yet widely unknown threat to your software supply chain. Learn how this attack works and how to defend against it in our latest blog post: snyk.co/uhgyd

Thrilled to have Elliot Ward join us at #BSidesVilnius2024! 🌟 Learn about RepoJacking and its implications for supply chain security in his talk. See you there! #infosec #cybersecurity

Stay Ahead of Repo-Jacking: Learn key strategies to protect your GitHub repositories. Check out this guide on preventing unauthorized access and securing your code. github.blog/2024-02-21-how-t… #GitHubSecurity #RepoJacking #CyberSafety

GitHub Vulnerability Exposes Millions to RepoJacking Threat cysecurity.news/2024/03/gith…

Millions of #software repos on #GitHub may be vulnerable to RepoJacking... Are you sure that your repository is a safe place? Read our blog post and learn if it's possible to minimize the risks and stay secure 🔍 gitprotect.io/blog/github-re… #vulnerability #DevOps #security

New Typosquatting and Repojacking Tactics Uncovered on PyPI infosecurity-magazine.com/ne… #cybersecurity #infosec #hacking

New Typosquatting and Repojacking Tactics Uncovered on PyPI infosecurity-magazine.com/ne…

🚨Hackers have been exploiting GitHub in several ways. Primarily through a technique known as "repojacking." ---------------- ------------------------------ These attacks involve exploiting a vulnerability in GitHub's repository creation and username renaming operations. A threat actor could potentially take control of a legitimate and frequently used namespace, a combination of the username and repository name. Cybercriminals use GitHub as a platform to host and distribute malicious files. This misuse is part of a broader trend called "living in trusted places" (LOTS), where attackers exploit legitimate internet services as part of their criminal infrastructure​. This is a specific type of attack where threat actors hijack GitHub repositories. It works by exploiting a simple but critical flaw. when a GitHub user changes their username, the old username becomes available for registration. Attackers can then register the old username and populate its repositories with malicious files. This can compromise project repositories hosting malware that can be downloaded by others, including individuals and companies reliant on these projects​. An advanced form of this attack involves exploiting a race condition within GitHub's repository creation and username renaming operations. This vulnerability could potentially enable the hijacking of over 4,000 code packages in various programming languages, posing a significant risk to the software supply chain​ Addressing these GitHub vulnerabilities is challenging due to the platform's open nature and the sophistication of these attacks. Integration of @Conste11ation HGTP could potentially offer a robust solution to such security issues. HGTP, already utilized by the US Air Force and 618 AOC for secure data exchange, is ideal for GitHub's cybersecurity needs. The "Iron SPIDR" project, a collaboration between Constellation Network and Kinnami, exemplifies this. Here's how it could help GitHub:👇 ------------------------------------------ 1⃣Zero Trust Approach: HGTP employs a zero trust network approach, which means no implicit trust is granted to assets or user accounts based solely on their physical or network location. This approach is crucial in mitigating both external and internal security threats by verifying every connection before granting network access. 2⃣Blockchain Integration for Data in Transit: Constellation Network uses a blockchain solution to cryptographically secure complex data structures in contested network environments. This approach ensures the integrity and security of data as it is transmitted across networks, making it virtually impossible for attackers to hijack or tamper with the data. 3⃣Resilient Distributed Network: The network is designed to be highly resilient with no single point of failure. This distributed architecture means that even if a part of the network is compromised, the rest of the system remains secure, thereby reducing the risk of widespread data breaches. 4⃣Instantaneous Data Processing and Notarization: By processing, notarizing, and securing data as it is created and communicated, Constellation Network significantly increases both the validation speed and data security. This real-time processing is essential for detecting and preventing unauthorized access or modifications to data. 5⃣Encrypted Object Storage and Secure Data Management: Kinnami’s platform integrates data security, data protection, and data availability into a single technology. It organizes information into encrypted objects owned by end-users and stores them across a network of devices, ensuring that data is secured before it is stored or transmitted anywhere else. 6⃣AI-Driven Data Management: Administrators can define policies using AI to determine where encrypted objects and their versions should be stored. This efficient management ensures that data is replicated around the network to storage devices with matching policies, enhancing security and accessibility. 7⃣Immutability and Audit Trail: The integration of Constellation Network’s blockchain solution with Kinnami’s platform ensures the immutability of the audit trail. This provides irrefutable categorization and auditing metadata about data content, which is crucial for compliance and tracking of data integrity. 8⃣Complementary Systems for Distributed Data Management: The collaboration between Constellation Network and Kinnami creates two complementary systems that together offer a powerful solution for distributed and secure data management. This joint solution overcomes the inherent problems with centralized legacy systems, offering a more cost-effective and efficient alternative for handling large volumes of sensitive data ------------------------------- Each of these elements collectively create a robust framework for securing data against sophisticated attacks like those seen on GitHub. By employing a zero trust approach, leveraging blockchain for data in transit, and using AI-driven encrypted object storage, the collaboration between Constellation Network and Kinnami offers a comprehensive and proactive defense against a range of cyber threats. This makes it an ideal solution for organizations looking to enhance their data security posture in an increasingly digital and interconnected world #BlockchainSecurity #CyberDefense #DataEncryption #ZeroTrustNetwork #TechInnovation #SecureDataExchange

Go 模块库劫持 (repojacking) 介绍 from VulnCheck ift.tt/21KWOE7 ift.tt/puYgLql

GitHub RepoJacking is a rising threat! 👀 How #cybercriminals hijack repos and how to protect yours? 🥷 Understand vulnerability signs, preventive steps, and build your #GitHub security strategy. 🛡️⬇️ gitprotect.io/blog/github-re… #DevSecOps #cybersecurityawarness