Shadow Commits: The Stealthy “Force Push” Attack That Compromised Plone’s GitHub Repositories

A stealthy security breach has compromised one of the most prominent open-source content management projects. An anonymous adversary surreptitiously injected malicious code into several GitHub repositories by forcibly overwriting the commit history—a maneuver where many of the alterations appeared ostensibly benign, thus evading immediate suspicion.

The Plone project collective reported that the incursion was unearthed following the observation of anomalous activity within pull requests. GitHub’s automated sentinels flagged several branches as having undergone a “force push.” Upon meticulous inspection, developers discovered an intricate, obfuscated JavaScript fragment. Their analysis confirmed the code was indeed malicious. While the majority of the unauthorized interventions were swiftly rescinded, one particular instance remained undetected until a later audit.

Plone is an open-source content management system (CMS) architected in Python and JavaScript. Boasting a legacy of decades and supported by a robust global community, the project nonetheless maintained write-access permissions for several legacy contributors. The security team was already in the process of recalibrating these access rights when the breach occurred.

The suspicious modifications were executed under the credentials of a long-standing contributor; however, the core team maintains that the individual’s account was compromised rather than the contributor being complicit. GitHub support verified malicious commits across five distinct repositories. In one alarming instance, a modification successfully permeated the main branch. This alteration masqueraded as a routine post-release version increment, yet a malicious payload lay dormant within a configuration file, concealed behind an expansive string of whitespace to mimic a mere formatting adjustment in standard diff viewers.

Security specialists advise that in the wake of such incidents, all branches should be audited by the date of their last update against actual commit timestamps. Furthermore, organizations should utilize the GitHub API to scrutinize event logs for suspicious push operations.

The assailant specifically leveraged history overwriting because such actions are significantly more difficult to discern than standard commits. While protection mechanisms were already active in most repositories to prohibit such operations on primary branches, the team has since implemented organization-wide mandates. These new protocols strictly forbid force pushes, the deletion of critical branches, and the modification of version tags.

The malicious payload was primarily engineered to target developers rather than end-users. It was embedded within root-level files executed during the software build process. Upon activation, the code established systemic persistence, deployed remote execution tools, and attempted to exfiltrate administrative credentials, API keys, browser profiles, and cryptocurrency wallets. It is hypothesized that the attackers had surreptitiously planted a Personal Access Token (PAT) and remained latent for nearly two months before initiating active maneuvers.

The project leadership urges developers to frequently audit their Personal Access Tokens and other cryptographic secrets, promptly revoking any unrecognized entries. Furthermore, it is strongly recommended that force pushing be categorically prohibited on all primary and maintained branches to mitigate the risk of clandestine code substitution.