The Reveal Platform
Intel Name: Malvertising campaign pushing dangling commits in official github repo
Date of Scan: September 12, 2025
Impact: Medium
Summary: Since early August 2025, a sophisticated malvertising campaign has been observed where attackers abuse GitHub’s repository forking system to deliver a fake GitHub Desktop client. The attackers create dangling commits by forking legitimate repositories, injecting malicious commits, and then deleting the fake user accounts. Despite deletion, the malicious commit links remain accessible and appear to belong to the official repo, misleading users. To further evade detection, attackers anchor links to the middle of the page, effectively hiding GitHub’s security warning banner.Victims have been identified across the U.S., Europe, South America, and Asia, affecting industries such as communication, tourism, software, public services, e-commerce, and retail.
