Maintainer hijack / repo-jacking

Jan 1, 0001

Definition

Maintainer hijack, also known as repo-jacking, occurs when a malicious actor gains control over a software repository by exploiting vulnerabilities in repository management or transfer processes. This can happen if a repository is transferred to a new owner but the original maintainer’s permissions are not properly revoked, or if a repository is deleted and the name becomes available for re-registration by an attacker. This allows the attacker to inject malicious code into the repository, potentially impacting all users who depend on it.

Secure Settings Example

# GitHub repository settings to prevent maintainer hijack
permissions:
  maintainers:
    - username: "secure_maintainer"
branch_protection_rules:
  - pattern: "main"
    required_status_checks:
      strict: true
      contexts: ["ci/test", "ci/lint"]
    enforce_admins: true
    required_pull_request_reviews:
      required_approving_review_count: 2
    restrictions:
      users: []
      teams: ["core-team"]

Insecure Settings Example

# GitHub repository settings with potential for maintainer hijack
permissions:
  maintainers:
    - username: "old_maintainer" # Old maintainer not removed
branch_protection_rules:
  - pattern: "main"
    required_status_checks:
      strict: false # Status checks not enforced
    enforce_admins: false # Admins can bypass protections
    required_pull_request_reviews:
      required_approving_review_count: 0 # No review required
    restrictions:
      users: []
      teams: []

Maintainer hijack / repo-jacking

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter