Attackers Hijack GitHub Desktop Repo to Spread Malware via Official Installer

The recent GitHub Desktop hijack demonstrates how a subtle flaw in GitHub’s fork architecture can be weaponised. By forking the official desktop repository and altering the README download link, attackers create a commit hash that lives under the ‘desktop/desktop’ namespace despite lacking write access. This ‘repo squatting’ technique makes the malicious installer appear as a legitimate update, exploiting developers’ habit of following repository links. The persistence of the commit hash even after the fork is removed highlights a systemic supply‑chain vulnerability that erodes trust in open‑source distribution channels.

The payload, delivered as GitHubDesktopSetup‑x64.exe, is a single‑file .NET binary that functions as a multi‑stage loader named HijackLoader. Its most striking evasion tactic is the abuse of OpenCL, forcing analysis environments without GPU drivers to fail and obscuring decryption keys. Once executed, the loader downloads encrypted archives and leverages DLL sideloading and module stomping to inject shellcode into vssapi.dll. Persistence is achieved through a scheduled task called WinSvcUpd and PowerShell commands that add Microsoft Defender exclusions, allowing subsequent payloads to run undetected on compromised machines.

Mitigation requires both user vigilance and platform‑level safeguards. Security teams should enforce strict verification of installer sources, preferring the official Releases page over README links or sponsored ads, and employ hash‑based validation before execution. GitHub must consider tightening its namespace exposure, possibly by restricting commit visibility for forks that modify download assets. The incident underscores a broader trend of supply‑chain attacks targeting developers, prompting enterprises to integrate repository monitoring and anomaly detection into their threat‑intel programs. Strengthening these controls will help preserve the integrity of open‑source ecosystems and protect downstream organizations.