How does a Repo Jacking attack work?

It typically unfolds over 3 phases. It begins with: [Identify target] The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.

How do you prevent CAPEC-695?

Leverage dedicated package managers instead of directly linking to VCS repositories.

What weaknesses does CAPEC-695 target?

CAPEC-695 exploits 2 CWE weaknesses, including CWE-494 (Download of Code Without Integrity Check), CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

How severe is CAPEC-695?

MITRE rates CAPEC-695 as High severity with medium likelihood of attack.

CAPEC-695: Repo Jacking

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

Last updated June 1, 2026

High

Typical severity

Per MITRE

Medium

Likelihood of attack

Per MITRE

Related weaknesses

CWEs this targets

Detailed

Abstraction

MITRE classification

Overview

Software developers may directly reference a VCS repository (i.e., via a hardcoded URL) within source code to integrate the repository as a dependency for the underlying application. If the repository owner/maintainer modifies the repository name, changes their VCS username, or transfers ownership of the repository, the VCS implements a redirect to the new repository location so that existing software referencing the repository will not break. However, if the original location of the repository is reestablished, the VCS will revert to resolving the hardcoded path. Adversaries may, therefore, re-register deleted or previously used usernames and recreate repositories with malicious code to infect applications referencing the repository. When an application then fetches the desired dependency, it will now reference the adversary's malicious repository since the hardcoded repository path is once again active. This ultimately allows the adversary to infect numerous applications, while achieving a variety of negative technical impacts.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify target] The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.
Step 2
Experiment
[Recreate initial repository path] The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.

CAPEC-695: Repo Jacking

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-695?

How does a Repo Jacking attack work?

How do you prevent CAPEC-695?

What weaknesses does CAPEC-695 target?

How severe is CAPEC-695?

References

Defend against CAPEC-695

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-695?

How does a Repo Jacking attack work?

How do you prevent CAPEC-695?

What weaknesses does CAPEC-695 target?

How severe is CAPEC-695?

References

Defend against CAPEC-695