I'm pretty sure GitHub warns you every single time you pull from or push to a repository where the organisation or repository has been renamed and you're relying on an alias that is not permanent.
Why is this news, and why does it need a name of "RepoJacking" assigned to it when the behaviour is working exactly as designed?
This isn't a novel vulnerability, and I wouldn't say any novel vulnerability research has been conducted here. Sure, there's some value in doing a code search and finding instances where people have automated scripts etc relying on aliases, but the vulnerability lies within these scripts.
All mutable global namespaces have the same problems.
I didn't know you could get street cred pointing this out one by one.
Let's try! If someone buys an expired domain and installs an SSL cert on it then old scripts will think it's legit. Let's call it phantomain, a combination of phantom and domain.
First thing I thought of too. If you've acquired a company, you'll need to plan on keeping the old domain names for a long time, if not indefinitely. Anyone who can later re-register that domain will now own any email sent there and any other network traffic as well.
No no! That's gotta be Ghomainjacking, two buzzwords in one AND ghosts are waaay spookier! Phantoms evoke too much imagery of incels in masks, singing on boats.
I was also trying to allude to Saint-Domingue, the French colony which France woke up one day to realize it no longer had and "sans domain", which are way too nerdy. Let's go with yours
Ghomainjacking but it's pronounced fimainjacking using the gho from ghoti because it's in the class of phishing attacks using a collision you didn't realize was possible
After NPR said they weren't going to post anymore because Musk decided to label them as "State Controlled Media" he made a point of saying, "OK, then we'll give your username to someone else after it expires in a month (apparently not posting for a month now expires accounts?)"
Hmm did you read the article? One specific attack vector they show has nothing to with Git or pushing/pulling to repositories. It shows an install.sh which curl downloads a master.zip from a public github repo and executes files within it.
>It shows an install.sh which curl downloads a master.zip from a public github repo
A repo that is an alias to another one. Someone can create this repo breaking the alias and thus being able to serve whatever they want. This is the so-called "repojacking" and what GP is also talking about.
> So would I see this message if it was pulled in a script, by npm, go install, cargo or another such tool?
The repository maintainers would, every single time they updated the code.
For your own scripts, you'd see a 301 Moved Permanently response when e.g. fetching a source code ZIP. It's up to you as to whether you want to follow this redirect silently or print a warning.
Nope. The project I work on went through a governance restructuring and we moved half the repos to a new org. I haven't updated most of my remotes, but they redirect seamlessly, no CLI warnings whatsoever.
Why is this news, and why does it need a name of "RepoJacking" assigned to it when the behaviour is working exactly as designed?
This isn't a novel vulnerability, and I wouldn't say any novel vulnerability research has been conducted here. Sure, there's some value in doing a code search and finding instances where people have automated scripts etc relying on aliases, but the vulnerability lies within these scripts.