New to CAPEC? Start Here
Home > CAPEC List > CAPEC-695: Repo Jacking (Version 3.8)  

CAPEC-695: Repo Jacking

Attack Pattern ID: 695
Abstraction: Detailed
Presentation Filter:
+ Description

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

+ Extended Description

Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts.

+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.616Establish Rogue Location
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Identify target: The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.

  1. Recreate initial repository path: The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.

  1. Exploit victims: The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.

+ Prerequisites
Identification of a popular repository that may be directly referenced in numerous software applications
A repository owner/maintainer who has recently changed their username or deleted their account
+ Skills Required
[Level: Low]
Ability to create an account on a VCS hosting site and recreate an existing directory structure.
[Level: Low]
Ability to create malware that can exploit various software applications.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Read Data
Modify Data
Access Control
Execute Unauthorized Commands
Alter Execution Logic
Gain Privileges
+ Mitigations
Leverage dedicated package managers instead of directly linking to VCS repositories.
Utilize version pinning and lock files to prevent use of maliciously modified repositories.
Implement "vendoring" (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.
Leverage automated tools, such as Checkmarx's "ChainJacking" tool, to determine susceptibility to Repo Jacking attacks.
+ Example Instances

In May 2022, the CTX Python package and PhPass PHP package were both exploited by the same adversary via Repo Jacking attacks. For the CTX package, the adversary performed an account takeover via a password reset, due to an expired domain-hosting email. The attack on PhPass entailed bypassing GitHub's authentication for retired repositories. In both cases, sensitive data in the form of API keys and passwords, each stored in the form of environment variables, were exfiltrated. [REF-732] [REF-733]

In October 2021, the popular JavaScript library UAParser.js was exploited via the takeover of the author's Node Package Manager (NPM) account. The adversary-provided malware downloaded and executed binaries from a remote server to conduct crypto-mining and to exfiltrate sensitive data on Windows systems. This was a wide-scale attack as the package receives 8 to 9 million downloads per week. [REF-732]

+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools
+ References
[REF-722] Indiana Moreau. "Repo Jacking: Exploiting the Dependency Supply Chain". Security Innovation. 2020-10-22. <>. URL validated: 2022-09-09.
[REF-732] Theo Burton. "CyRC Vulnerability Analysis: Repo jacking in the software supply chain". Synopsys. 2022-08-02. <>. URL validated: 2022-09-09.
[REF-733] Jossef Harush. "Attacker Caught Hijacking Packages Using Multiple Techniques to Steal AWS Credentials". Checkmarx. 2022-05-25. <>. URL validated: 2022-09-09.
[REF-734] Jossef Harush. "GitHub RepoJacking Weakness Exploited in the Wild by Attackers". Checkmarx. 2022-05-27. <>. URL validated: 2022-09-09.
+ Content History
Submission DateSubmitterOrganization
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 29, 2022