Malvertising Campaign Pushing Dangling Commits in Official Github Repo

    Friday, September 12, 2025 In: Threat Research Print

    Date: 09/12/2025

    Severity: Medium

    Summary

    Since early August 2025, a sophisticated malvertising campaign has been observed where attackers abuse GitHub’s repository forking system to deliver a fake GitHub Desktop client. The attackers create dangling commits by forking legitimate repositories, injecting malicious commits, and then deleting the fake user accounts. Despite deletion, the malicious commit links remain accessible and appear to belong to the official repo, misleading users. To further evade detection, attackers anchor links to the middle of the page, effectively hiding GitHub’s security warning banner.Victims have been identified across the U.S., Europe, South America, and Asia, affecting industries such as communication, tourism, software, public services, e-commerce, and retail.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://github.com/desktop/desktop/tree/636f5d478fa774635da5b25ecb842822ab444009?tab=readme-ov-file&gad_source=1&gad_campaignid={redacted}&gclid={redacted}#download-github-desktop

    https://downloadingpage.my

    https://feelsifuyerza.com

    https://git-desktop.app

    https://gitpage.app

    https://oguiuweyqwe.online

    https://poiwerpolymersinc.online

    https://powiquwieree.com

    https://slepseetwork.online

    Hash

    636f5d478fa774635da5b25ecb842822ab444009

    629f3ab77b0c6840618029d39869d078f8a5a694

    3b3e14cec9f2c7f9567bb1a50ece12d4eb337305

    a48188b0d5bdc3e8728cb37619cc51f7392b086f

    0b9afc9019f3074c429025e860294cb9456510609dd1dca8e8378753ade5a17e

    ec89c0ffc755eafc61bbf3b9106e0d9d7cbfaa9e70fbe17d9e4fbb9a7d38be64

    e252bb114f5c2793fc6900d49d3c302fc9298f36447bbf242a00c10887c36d71

    ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e

    efcf5fe467f0ba8f990bcdfc063290b2cf3e8590455e6c7c8fe0f7373a339f36

    ed1811c16a91648fe60f5ee7d69fe455d0a3855eebb2f3d56909b7912de172fd

    2a1c127683dba19399cc6516d5700d4e756933889dad156cd62b992aaf732816

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "https://feelsifuyerza.com" or siteurl like "https://feelsifuyerza.com" or url like "https://feelsifuyerza.com" or domainname like "https://slepseetwork.online" or siteurl like "https://slepseetwork.online" or url like "https://slepseetwork.online" or domainname like "https://powiquwieree.com" or siteurl like "https://powiquwieree.com" or url like "https://powiquwieree.com" or domainname like "https://oguiuweyqwe.online" or siteurl like "https://oguiuweyqwe.online" or url like "https://oguiuweyqwe.online" or domainname like "https://github.com/desktop/desktop/tree/636f5d478fa774635da5b25ecb842822ab444009?tab=readme-ov-file&gad_source=1&gad_campaignid={redacted}&gclid={redacted}#download-github-desktop" or siteurl like "https://github.com/desktop/desktop/tree/636f5d478fa774635da5b25ecb842822ab444009?tab=readme-ov-file&gad_source=1&gad_campaignid={redacted}&gclid={redacted}#download-github-desktop" or url like "https://github.com/desktop/desktop/tree/636f5d478fa774635da5b25ecb842822ab444009?tab=readme-ov-file&gad_source=1&gad_campaignid={redacted}&gclid={redacted}#download-github-desktop" or domainname like "https://downloadingpage.my" or siteurl like "https://downloadingpage.my" or url like "https://downloadingpage.my" or domainname like "https://git-desktop.app" or siteurl like "https://git-desktop.app" or url like "https://git-desktop.app" or domainname like "https://gitpage.app" or siteurl like "https://gitpage.app" or url like "https://gitpage.app" or domainname like "https://poiwerpolymersinc.online" or siteurl like "https://poiwerpolymersinc.online" or url like "https://poiwerpolymersinc.online"

    Detection Query 2 :

    hash IN ("636f5d478fa774635da5b25ecb842822ab444009","629f3ab77b0c6840618029d39869d078f8a5a694","3b3e14cec9f2c7f9567bb1a50ece12d4eb337305","a48188b0d5bdc3e8728cb37619cc51f7392b086f")

    Detection Query 3 :

    sha256hash IN ("0b9afc9019f3074c429025e860294cb9456510609dd1dca8e8378753ade5a17e","2a1c127683dba19399cc6516d5700d4e756933889dad156cd62b992aaf732816","ec89c0ffc755eafc61bbf3b9106e0d9d7cbfaa9e70fbe17d9e4fbb9a7d38be64","efcf5fe467f0ba8f990bcdfc063290b2cf3e8590455e6c7c8fe0f7373a339f36","ed1811c16a91648fe60f5ee7d69fe455d0a3855eebb2f3d56909b7912de172fd","0b9afc9019f3074c429025e860294cb9456510609dd1dca8e8378753ade5a17e","ec89c0ffc755eafc61bbf3b9106e0d9d7cbfaa9e70fbe17d9e4fbb9a7d38be64","e252bb114f5c2793fc6900d49d3c302fc9298f36447bbf242a00c10887c36d71","ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e","efcf5fe467f0ba8f990bcdfc063290b2cf3e8590455e6c7c8fe0f7373a339f36","ed1811c16a91648fe60f5ee7d69fe455d0a3855eebb2f3d56909b7912de172fd","2a1c127683dba19399cc6516d5700d4e756933889dad156cd62b992aaf732816")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-11-dangling-commits-used-in-GitHub-malvertising.txt


    Tags

    South AmericaAsiaCommunicationsTransportation SystemsInformation TechnologyCommercial FacilitiesMalwareGitHubDanglingCommitsUnited StatesEurope

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.