Cybercriminals have discovered a dangerous way to trick developers into downloading malware by exploiting how GitHub works.
The attack involves creating fake versions of the GitHub Desktop installer and making them appear legitimate to unsuspecting users.
Between September and October 2025, this campaign primarily targeted users in Europe and the European Economic Area, though infections spread to Japan and other regions.
The malware, disguised as a standard development tool installer, represents a serious threat to developers who rely on GitHub for their daily work.
The attack chain begins when criminals create throwaway GitHub accounts and fork the official GitHub Desktop repository.
They then modify the download links in the README file to point toward their malicious installer instead of the legitimate one. Using sponsored advertisements targeting searches for “GitHub Desktop,” attackers promote these infected files to developers.
.webp "Attackers Hijacking Official GitHub Desktop Repository to Distribute Malware as Official Installer 3")
The criminals exploit a feature in GitHub’s design that allows commits from forked repositories to remain visible under the official repository’s namespace, even after the original fork or account is deleted.
This technique, called repo squatting, makes it extremely difficult for GitHub to track and remove malicious content.
GMO Cybersecurity analysts identified that this campaign represents an adaptive, ongoing threat that continues evolving.
The malicious Windows installer detected by the researchers, named GitHubDesktopSetup-x64.exe with a file size of 127.68 megabytes, serves as a multi-stage loader.
.webp "Attackers Hijacking Official GitHub Desktop Repository to Distribute Malware as Official Installer 4")
Similar malicious samples have been discovered disguised under other application names including Chrome, Notion, 1Password, and Bitwarden installers dating back to May 2025.
Analyzing the Infection Mechanism and Advanced Evasion Tactics
The infection mechanism reveals sophisticated technical deception.
The malicious installer appears as a standard C++ application on the surface, but analysis of its debug information reveals it is actually a single-file .NET application bundled into a single executable called an AppHost.
.webp "Attackers Hijacking Official GitHub Desktop Repository to Distribute Malware as Official Installer 5")
The actual malicious .NET payload hides within the file’s overlay section, making it invisible to simple scanning tools.
What makes this particularly concerning is that the malware incorporates a GPU-based API called OpenCL to deliberately prevent analysis in standard sandbox environments.
.webp "Attackers Hijacking Official GitHub Desktop Repository to Distribute Malware as Official Installer 6")
Most security testing sandboxes and virtual machines lack GPU drivers or OpenCL support, forcing security researchers to conduct analysis on actual physical machines with real graphics hardware before understanding the malware’s true behavior.
This technique, dubbed GPUGate, represents deliberate anti-analysis protection designed to slow down security researchers.
Additionally, the malware intentionally uses code misdirection tactics to confuse analysts attempting to recover the decryption keys statically.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
