How I Earned $8947 bounty for Remote Code Execution via a Hijacked GitHub Module
1 min read
Summary
A security researcher identified a remote code execution vulnerability in a major company’s software, allowing them to take control of the target’s infrastructure.
By hijacking a third-party GitHub account, the researcher was able to create a scenario where anyone building or deploying the affected projects could inadvertently download code from the hijacked account.
If the victim used the compromised module, an attacker could quickly gain code execution rights on their infrastructure.
After reporting the vulnerability via the company’s HackerOne programme, the researcher was awarded a $8,947 bounty for their discovery and provided a detailed explanation of how the vulnerability was identified and exploited.
Their report suggested removing references to the compromised module across all repositories, and to vendorise dependencies to prevent further abuse.