IN a report published on 27 January 2026, researchers describe a campaign dubbed “repo squatting” in which attackers abuse GitHub’s handling of forks to distribute malware that looks like it comes from official sources, targeting the GitHub Desktop repository. The core flaw lies in how commits to a attacker’s fork can appear under the upstream repository’s URL structure, enabling malicious updates to masquerade as legitimate ones.
According to GMO Cybersecurity by Ierae, Inc., the attackers crafted malicious URLs that resemble official project paths, such as github[.]com/official-project/repo/commit/malicious-hash, to trick users into downloading compromised software. The campaign centred on the GitHub Desktop installer, with a multi-stage loader and HijackLoader malware identified in the payload, and analysts note hard-coded hash values consistent with HijackLoader samples.
GitHub has been notified, but the architectural feature remains active, with the firm stating on 9 September 2025 that the security team is aware of the issue and mitigation steps are underway; as of 29 December 2025, it could still be reproduced. The activity was most intense between September and October 2025, underscoring the need for vigilance even when a download link appears to originate from an official GitHub URL.