Overview
This course aims to educate participants on the prevalence and impact of the supply chain vulnerability known as 'repo jacking', which allows attackers to hijack Github repositories and achieve remote code execution through dependency injection. Participants will learn about the vulnerability itself, its causes, exploitation methods, and how to scan open-source projects for similar vulnerabilities. The course covers topics such as vulnerable scenarios, repository redirects, data collection, dependency analysis, key findings, and remediation strategies. The intended audience for this course includes developers, security professionals, and individuals interested in understanding and mitigating supply chain attacks in open-source projects. The teaching method involves a lecture format with a focus on research findings, practical examples, and mitigation techniques.
Syllabus
Intro
Open-source Supply Chain Attacks
Repo Jacking
Vulnerable Scenarios
Repository Redirects
GitHub's Response
Mass Analysis
Data Collection
Clean Up
Hijackable Usernames
Dependency Analysis
4. Directly Vulnerable Projects
Key Findings
Remediations
Taught by
NorthSec