BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi
BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
Repo jacking on bundler.io: open supply chain attack
Back to homeBug Bounty

Repo jacking on bundler.io: open supply chain attack

Repo jacking on bundler.io let an attacker claim Bundler's orphaned GitHub repo and inject malicious code into any Ruby project referencing it.

  1. Home
  2. ›
  3. Bug Bounty
  4. ›
  5. Repo jacking on bundler.io: open supply chain attack
by Gorka El Bochi Morillo
·
3 min read
·May 26, 2026

What happened

A researcher reported on HackerOne that bundler.io — the official documentation site for Bundler, Ruby's dependency manager — was linking to two GitHub repositories (`rubygems/bundler-site` and `rubygems/bundler.github.io`) whose original username had been freed after an ownership change in the organization.

The bug class is repo jacking (*dependency repository hijacking*, a form of *supply chain attack* — an attack that compromises the software supply chain rather than the final target directly). The mechanism is straightforward: when a GitHub user or organization changes their name, the old username immediately becomes available for anyone to register. If authoritative sites — like official documentation for a dependency manager — keep pointing to that old URL, anyone who claims that username can *replace the content that every link in the ecosystem references*.

The report also identified an open redirect (a trusted-domain URL that bounces users to any destination the attacker chooses) on the bundler.io domain itself, chaining both vectors to amplify potential impact.

Why it matters

This pattern isn't unique to RubyGems. The same vector exists in any project whose documentation, README, or website links to GitHub repos under usernames that have changed hands at some point. The repo doesn't even need to contain directly executable code: serving install scripts, copy-pasteable snippets, or being listed as a trusted source is enough.

The attack surface is large. Thousands of open source projects have gone through merges, renames, or account abandonments. IOCs (technical indicators that reveal an attack — here, claimed repos with unexpected content) are hard to detect unless you actively monitor what sits behind the links you publish.

The open redirect adds another angle: even without a full repo jacking, an attacker can abuse redirects on trusted domains to bypass anti-phishing filters or chain into social engineering campaigns.

The bug class combines a low barrier to entry (registering a GitHub username is free and trivial) with potentially critical impact (code injection into projects that trust those references). It's the kind of finding that bug bounty programs tend to underestimate until someone exploits it in production.

What to do

If you maintain documentation or a project site:

  • Audit every external GitHub link in your docs, README, and website today. Verify that usernames are still active and belong to the right entity.
  • Set up alerts (GitHub Dependabot, monitoring scripts) to detect unexpected changes in repositories you reference.
  • Migrate links to commit-hash URLs or forks under your own organization for any externally-referenced repo that is critical to your trust chain.

If you hunt bugs:

  • Search `web.archive.org` or `github.com/search` for usernames referenced in popular project docs that no longer exist as active organizations.
  • Check if the target domain has endpoints with parameters like `?url=`, `?redirect=`, `?next=`, `?return_to=` — prime candidates for open redirect.
  • Chain repo jacking + open redirect to raise severity: the redirect can make the official site serve as a bridge to the malicious repo.

If you run a SOC (Security Operations Center — the team that monitors for active threats):

  • Include dependency repository monitoring in your threat model for internal projects that use GitHub-based package managers.

Repo jacking has been documented for years but keeps showing up in mature programs. The reason: teams audit code, not links. A link in docs carries the same damage potential as a direct dependency if it sits in the trust chain.

What to do

  • Audit every GitHub link in your docs and confirm the username is still claimed by the right owner.
  • Search target domains for open redirect parameters (`?url=`, `?redirect=`, `?next=`) and test for bypass.
  • Pin critical external references to commit-hash URLs or fork them under your own org.

Share this story

Help more people discover BBLabs News.

Repo jacking on bundler.io: open supply chain attack
VerticalDownload image
LinkedInXWhatsApp

Interested in Bug Bounty?

Subscribe to this stream and get the most relevant news every day — no spam, no noise.

Subscribe

Related articles

Destacado
Bug Bounty31 may 2026·2 min

Shopify: email confirmation bypass → account takeover

@ngalog bypassed Shopify's patch for a prior email-confirmation bug and verified arbitrary emails to access accounts they didn't own.

  • Retest the full flow after any published fix lands.
  • Hunt resolved reports in your target vuln class on HackerOne.
  • Test email verification with two separate attacker and victim accounts.
Gorka El Bochi Morillo
Leer artículo
Bug Bounty30 may 2026·2 min

Ruby JSON.generate leaks heap memory via null bytes

Ruby's JSON.generate leaks arbitrary heap memory when null bytes are passed via JSON::State.space.

Leer artículo
Bug Bounty28 may 2026·2 min

TaxJar: org owner could hijack any member's account

TaxJar (Stripe) let an org owner overwrite any member's email address, enabling full account takeover.

Leer artículo

Want to get news like this every day?

Browse all articles
BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi