Protect Your Code Repo
Repojacking is a tactic used by malicious actors to hijack old repository names and add scripts that target dependent applications. This happens when a developer changes or repository owner changes their username. Malicious actors target the combination of old username and repository name. Based on this, repo jacking is a threat that organizations should start monitoring whether developers are in-house or outsourced. We recommend the following best practices for organizations and developers that use cloud-based services for software development and version control such as github:
- Create private clones of repositories to reduce the risk associated with dependencies
- Regulatory audit your software project dependencies
- Minimize the resources that your application fetches from external repositories as much as possible
- If a developer changes their username, they should claim and reserve the old name by registering another account
- Evaluate and implement further measures such as using SSH authentication to prevent exploits
- Add these recommendations in your IT audit plan when auditing your inhouse development or your due diligence checks during the contracting process for outsourced software development. This should also be added during exit management of outsourced software development services.