AquaSec’s Nautilus security team has warned that up to 9 million GitHub projects may be vulnerable to dependency repository hijacking, referred to as “RepoJacking.” This is where a malicious actor registers an old repository name, and any project relying on its dependencies unwittingly goes back to the attacker-controlled repository, potentially contaminated with malware. RepoJacking was flagged in 2019, and GitHub added defenses to protect against it. However, AquaSec reports that these solutions have so far been inadequate and easily bypassed and that the risk of RepoJacking remains widespread and hard to mitigate, with serious consequences for organisations and users.
https://www.bleepingcomputer.com/news/security/millions-of-github-repos-likely-vulnerable-to-repojacking-researchers-say/