We’ve found a method to scan and take over GitHub accounts that lead to package hijacking attack. This has effect on Go, Swift and other popular programming languages.
Slipping through the cracks between the designs of GitHub and Go Package Manager could allow an attacker to take control over popular Go packages, poison them and infect developers and users.
We have identified several highly popular open-source Go packages that are susceptible to be vulnerable to a new technique dubbed ChainJacking. Some of these vulnerable packages are embedded in popular admin tools.