The “Fork” in the Road: How Hackers Subverted GitHub Desktop to Infect Dev Workstations

Adversaries have pioneered a sophisticated method of weaponizing GitHub as a conduit for malware distribution, camouflaging their payloads as legitimate installers for prominent developer utilities. At the epicenter of this campaign is GitHub Desktop; the official client was subverted into a source of infection through the manipulation of download links propagated via search engine advertisements.

The stratagem is technically elegant yet profoundly efficacious. Threat actors create ephemeral GitHub accounts to fork the official GitHub Desktop repository, subsequently altering the download link within the README file. Due to the nuances of GitHub’s architecture, these commits can be viewed via the official repository’s URL even if the actor lacks write permissions. Consequently, the malicious link appears visually integrated into the legitimate project—a technique researchers designate as repo squatting.

The offensive then pivots to digital marketing. The perpetrators launch paid advertisements for the query “GitHub Desktop,” which direct users not to the official homepage, but specifically to the page containing the compromised commit. The URL is meticulously crafted to anchor the user directly to the download button, circumventing standard GitHub warnings. Believing they are acquiring the official client, users unwittingly download a fraudulent installer.

According to forensics from GMO Cybersecurity, the campaign reached its zenith in September and October 2025, primarily targeting developers within the EU and EEA, though infections were also documented in Japan. Similar malicious artifacts were found masquerading as other ubiquitous software, including Chrome, Notion, 1Password, and Bitwarden.

The Windows-based installer serves as a multi-stage delivery system for HijackLoader, a notorious modular loader frequently employed to deploy infostealers. Conversely, macOS users are targeted with the AMOS stealer. The technical execution is notably intricate: the initial stage presents as a conventional .NET installer concealing an encrypted payload.

Of particular interest to researchers is the malware’s anti-analytical measures. The program utilizes GPU interfaces via OpenCL, fabricating a facade of “GPU encryption.” In practice, this serves to obfuscate static analysis and induce execution failures within sandboxes or virtualized environments that lack GPU drivers or OpenCL support. This forces investigators to utilize physical hardware with dedicated graphics cards, significantly complicating the forensic process.

The subsequent infection sequence involves PowerShell scripts, the configuration of Microsoft Defender exclusions, and the establishment of persistence via Task Scheduler. The actors also leverage DLL sideloading to embed malicious code within legitimate Windows libraries. The final stage, HijackLoader, audits the system for AVG or Avast processes before delivering tertiary modules, such as the LummaC2 infostealer.

Despite GitHub’s acknowledgment of the issue in September 2025, the vulnerability persisted through late December. The fundamental architecture of GitHub—where commits from forks remain accessible within the repository’s network even after account termination—renders these incursions exceptionally difficult to monitor and eradicate.

Experts warn that developers remain high-value targets, as their workstations often provide a gateway to corporate infrastructure, proprietary source code, and internal services. The exploitation of trusted platforms like GitHub engenders a false sense of security, making these attacks particularly perilous. Analysts advise users to source software exclusively from official “Release” pages, scrutinize URL origins, and maintain a high degree of skepticism toward sponsored search results, even when they appear to lead to reputable platforms.