Attackers Hijack GitHub Desktop Repo to Spread Malware via Official Installer

[Brownie2019]

Content source

https://gbhackers.com/github-desktop-repo/

Threat actors have successfully exploited a design flaw in GitHub’s fork architecture to distribute malware disguised as the legitimate GitHub Desktop installer.

The attack chain begins with a deceptively simple but effective technique. Attackers create throwaway GitHub accounts and fork the official GitHub Desktop repository.

They then modify the download link in the README file to point to their malicious installer and commit the change.

Crucially, the commit hash becomes viewable under the official repository’s namespace appearing as github.com/desktop/desktop/tree/<commit_hash> despite the attacker having no direct write permissions to the official repository.

The attack, which research firm GMO Cybersecurity has been actively tracked since September 2025, leverages a technique called “repo squatting” to make malicious commits appear under official repository namespaces, deceiving users into downloading trojaned software.

More on:

Attackers Hijack GitHub Desktop Repo to Spread Malware via Official Installer

Threat actors have successfully exploited a design flaw in GitHub's fork architecture to distribute malware disguised as the legitimate GitHub Desktop installer.

gbhackers.com

 

[Bot]

More on:

Attackers Hijack GitHub Desktop Repo to Spread Malware via Official Installer

Threat actors have successfully exploited a design flaw in GitHub's fork architecture to distribute malware disguised as the legitimate GitHub Desktop installer.

gbhackers.com

What you quoted is a real-world abuse pattern, but it’s important to phrase it correctly: the official desktop/desktop repository is not being “written to” or “hijacked” in the normal sense. The trick is that GitHub’s fork “network” lets commit objects created in a fork be reachable by hash, and the resulting URL can look like it sits under the upstream repo path (for example, /desktop/desktop/tree/<sha>), which can mislead users who don’t notice the warnings or context. This has been actively used in malvertising campaigns to push trojanized “GitHub Desktop” installers.

What’s actually being abused

• Attackers fork a popular repo (like GitHub Desktop), change README download links in their fork, and commit.
• GitHub can still serve that commit object by its hash within the repository “network,” so the URL may appear under the upstream namespace even though it’s not on any official branch/tag.
• Campaigns then promote that specific commit URL via sponsored ads, sometimes using a #anchor to deep-link past (or visually de-emphasize) GitHub’s warning text on the page.

GMO Cybersecurity describes this “repo squatting” technique and how it was used in the September–October 2025 wave to deliver a malicious GitHub Desktop installer and subsequent payloads. Another related angle is GitHub’s broader “cross-fork object reference” behavior (where deleted fork data can remain reachable in the network), which has been publicly discussed as a security risk/UX trap rather than a classic repo compromise.

Why it works on users

• The URL looks official at a glance (desktop/desktop/…).
• Many users treat “a GitHub page under the right org/repo name” as equivalent to “an official release.”
• Sponsored search results put these links directly in front of people specifically searching “GitHub Desktop download.”

Practical safety guidance (what to tell users)

• Do not download “installers” from a README link you reached via a commit-hash URL (tree/<sha>), especially from ads.
• For GitHub Desktop, use official distribution points (the project’s official Releases page, or GitHub’s official website / trusted package channels).
• On Windows, verify the installer’s digital signature (Publisher should be GitHub / GitHub, Inc. for the legitimate installer) before running it.
• If someone already ran a suspicious “GitHubDesktopSetup…” file: disconnect from the network, run a full scan with Microsoft Defender (and ideally a second-opinion scanner), and treat saved browser/session credentials as potentially exposed until proven otherwise.

Takeaway
This is best viewed as a “trust/UI” weakness in how GitHub exposes fork-network objects by hash (and how easily that can be weaponized with ads), not as attackers gaining write access to the official GitHub Desktop repository. The safest mitigation is to train users to only install from official Releases / official vendor channels and to verify code-signing on installers.

Sources

• Revisiting GPUGate: Repo Squatting and OpenCL Deception to Deliver HijackLoader | セキュリティブログ | 脆弱性診断（セキュリティ診断）のGMOサイバーセキュリティ byイエラエ
• Attackers Hijack GitHub Desktop Repo to Spread Malware via Official Installer
• GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms
• Researcher says deleted GitHub data can be accessed 'forever' | TechTarget
• What happens to forks when a repository is deleted or changes visibility? - GitHub Docs

 

[Divergent]

Indicators of Compromise (IOCs)

Malicious File
GitHubDesktopSetup-x64.exe

SHA-256 Hash
e252bb114f5c6e8648b251f28b5e2825835942f746197992769622944b2f2e5

Persistence Mechanism
Scheduled Task named WinSvcUpd

Evasion Signals
Unauthorized Defender exclusions for AppData, LocalAppData, and ProgramData.

​

Remediation & Recovery​

For Corporate Environments​

Identity Revocation (P0)
Immediately revoke all OIDC/SAML sessions and reset MFA for any accounts accessed from the infected host. The LummaC2 payload is designed to steal session tokens.

Persistence Scrubbing
Use EDR or PowerShell to identify and delete the WinSvcUpd scheduled task and remove Defender exclusions.

Sweep for Sideloading
Hunt for unauthorized vssapi.dll modifications or Qt5Network.dll loads from user-writable directories.

For Home Users​

Immediate Password Resets
Log out of all sensitive accounts (email, banking) and change passwords from a different, clean device.

System Cleanse
Delete the downloaded installer and any files in AppData\Local or ProgramData that were created at the time of infection.

Scheduled Task Removal
Open 'Task Scheduler' and delete the WinSvcUpd entry.

​

Post-Incident Hardening​

Binary Authorization
Implement AppLocker (CIS Benchmark 1.1.1) to restrict execution to signed paths.

Safe Sourcing
Only download software from official GitHub Releases pages, which require verified write-access to the repository.

References​

NIST SP 800-61r3
(Incident Handling).

GMO Cybersecurity
Revisiting GPUGate and Repo Squatting.

GitHub Security Documentation
Fork and Commit Namespace Architecture.

 

[SeriousHoax]

The PowerShell stager adds Microsoft Defender exclusions for AppData, LocalAppData, and ProgramData directories, allowing subsequent payloads to execute undetected.

Microsoft likes users getting infected

 

[Parkinsond]

Microsoft likes users getting infected

Punishing them for using MAS for Office