Repo Jacking

Identify dependencies that may expose customers to repo jacking.


Some package managers allow users to set dependencies directly on resources external to the package manager ecosystem. This includes things like links to Github, Gitlab, or other version control systems.

For example, in NPM git+ssh://[email protected]:johnDoe/foobar.git is a valid dependency in a package.json. Generally this would not pose an issue or security risk to the developer. What happens, though, if the johnDoe user decides to delete their account from Github?

Unsurprisingly it puts the username up for grabs by any developer who wishes to claim it. If a nefarious individual decides to do so, they can begin serving malicious packages from the foobar repository. In doing so, they can infect any packages that previously depended on the legitimate package.


If a user depends on a package that is vulnerable to repo jacking, they may find themselves executing code from a malicious actor. Worst of all, the malicious code may be introduced without any changes to the users own codebase.

With repo jacking there may be no clear indication that you are vulnerable. This heuristic ensures that none of the external dependencies a customer is using are vulnerable by evaluating each URL we encounter.

Risk Domains

Engineering, License

Impact on the Phylum Package Score

This is a critical issue. If a package is susceptible to repo jacking, its score will be severely impacted.

Examples from the Past


Did this page help you?