How to stay safe from repo-jacking

Repo-jacking is a type of supply chain attack that targets open source software repositories, particularly when a GitHub user changes their username, potentially allowing attackers to take control of the repository's original name and serve malicious code. The risk is mitigated by GitHub's tombstoning algorithm, which permanently retires popular repository names once they are renamed, and by the fact that most software is distributed through package managers like npm or PyPI, which add an extra layer of security. However, repo-jacking is still a concern for projects that directly pull dependencies from GitHub, and developers can protect themselves by locking dependencies to specific commit IDs. Recent advancements in supply chain security, such as the use of OpenID Connect for build provenance and the Supply-chain Levels for Software Artifacts (SLSA) framework, aim to further enhance the security of software supply chains.