“Repo Squatting”: How Hackers Are Using GitHub’s Own Features to Hijack Official Repos

In a clever twist on software supply chain attacks, threat actors are weaponizing a quirk in GitHub’s architecture to distribute malware that appears to come from trusted, official sources. A new report by GMO Cybersecurity by Ierae, Inc. details an ongoing campaign where attackers successfully used this technique—dubbed “repo squatting”—to target the official GitHub Desktop repository.

The attack is deceptively simple but devastatingly effective. It exploits the way GitHub handles “forks,” allowing malicious code to masquerade as a legitimate update from a verified vendor.

The core of the vulnerability lies in how GitHub displays commits. Typically, when a developer wants to contribute to a project, they “fork” (copy) the repository, make changes, and submit a pull request. However, the report highlights a design flaw: if a user commits changes to their own fork, that commit can still be viewed through the upstream (official) repository’s URL structure.

“This effectively allows a user’s commit to appear under the official repository’s namespace, even though they do not have direct write permissions to it,” the researchers explain.

By crafting a malicious URL that looks like it belongs to the official project (e.g., github.com/official-project/repo/commit/malicious-hash), attackers can trick users into downloading compromised software. “We refer to this technique as repo squatting,” the report states.

The researchers tracked a campaign specifically targeting the GitHub Desktop installer. Attackers created a fork, added a malicious installer containing the HijackLoader malware, and then circulated the link. To the untrained eye—and even to some security tools—the download appeared to originate directly from GitHub’s own official repository.

“Attackers hijacked the official GitHub Desktop repository to distribute malware masquerading as the GitHub Desktop installer,” the report confirms.

Once installed, the malware acts as a multi-stage loader. Analysis of the payload revealed it to be HijackLoader, a notorious tool used to deploy various stealer logs and RATs. Technical analysis of the binary identified hard-coded hash values consistent with known HijackLoader samples.

Perhaps most concerning is that this is not a patched vulnerability. While GitHub has been notified, the architectural “feature” remains active.

“On September 9, 2025, GitHub stated that their security team is aware of this issue and is taking measures to mitigate it,” the report notes. “However, as of December 29, 2025, it can still be reproduced”.

The campaign was most active between September and October 2025, but the persistence of the technique means developers and users must remain vigilant. The mere presence of a download link on an “official” GitHub URL is no longer a guarantee of safety.

Related Posts:

• North Korean Hackers Exploit GitHub and Dropbox in Targeted Spearphishing Attacks
• HijackLoader Evolves: New Modules Bring Stealth, Persistence, and Advanced VM Evasion
• HijackLoader: The Stealthy Malware Loader Powering Modern Cyberattacks
• Cross Fork Object Reference (CFOR): GitHub’s New Security Vulnerability
• New Malware Duo HijackLoader & DeerStealer Surge: Bypassing Defenses for Data Theft