More than 15,000 Go module repositories on GitHub accounting for at least 800,000 Go module variants could be compromised in repojacking attacks, The Hacker News reports.
Over 9,000 of the repositories were vulnerable as a result of username changes in GiHub, while the remaining repositories were exposed due to account deletion, a report from VulnCheck revealed.
Repojacking attacks are more likely against Go modules due to their decentralized nature, said researchers.
"Anyone can then instruct the Go module mirror and pkg.go.dev to cache the module's details. An attacker can register the newly unused username, duplicate the module repository, and publish a new module to proxy.golang.org and go.pkg.dev," said VulnCheck Chief Technology Officer Jacob Baines.
Baines also noted that Go or GitHub should be responsible for addressing such repojacking attack concerns.
"Until then, it's important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from," Baines added.
Seventy-four percent of codebases had high-risk open source vulnerabilities last year, representing a significant increase over the 48% of those with exploited flaws, proof-of-concept exploits, and remote code execution issues in 2022.
A GitHub Actions workflow could have been used for a command injection vulnerability in Bazel, which had the potential for threat actors to add malicious code into the production environment for projects using the Google open-source product.