Cybercriminals are leveraging hijacked official GitHub Desktop repositories to distribute malware, posing a significant threat to developers. This sophisticated attack campaign, active between September and October 2025, primarily targeted users in Europe and the European Economic Area, but infections subsequently spread to Japan and other regions. Attackers are creating fake versions of the GitHub Desktop installer, making them appear legitimate to unsuspecting users, with the malware disguised as a standard development tool installer.
The attack chain commences when malicious actors create disposable GitHub accounts and then “fork” the official GitHub Desktop repository. They subsequently alter the download links within the README file to redirect users to their malicious installer instead of the legitimate one. Utilizing sponsored advertisements that target searches for “GitHub Desktop,” these attackers actively promote their compromised files to developers. This tactic exploits a feature in GitHub’s design that allows commits from forked repositories to remain visible under the official repository’s namespace, even after the original fork or account has been deleted, a technique known as repo squatting.
Analyzing the Infection Mechanism and Advanced Evation Tactics
According to GMO Cybersecurity analysts, this campaign represents an adaptive and ongoing threat that continues to evolve. The malicious Windows installer identified by researchers, named GitHubDesktopSetup-x64.exe with a file size of 127.68 megabytes, functions as a multi-stage loader. Similar malicious samples have been found disguised as installers for other popular applications, including Chrome, Notion, 1Password, and Bitwarden, with some dating back to May 2025.
The infection mechanism is characterized by its sophisticated technical deception. On the surface, the malicious installer appears to be a standard C++ application. However, a deeper analysis of its debug information reveals that it is, in fact, a single-file .NET application bundled into a single executable known as an AppHost. The actual malicious .NET payload is concealed within the file’s overlay section, rendering it invisible to rudimentary scanning tools.
This attack is particularly concerning due to the malware’s incorporation of a GPU-based API called OpenCL. This element is intentionally used to impede analysis within standard sandbox environments. Most security testing sandboxes and virtual machines lack integrated GPU drivers or OpenCL support, which forces security researchers to conduct analyses on actual physical machines equipped with real graphics hardware before the malware’s true behavior can be understood. This anti-analysis technique, dubbed GPUGate, is a deliberate protective measure designed to slow down the efforts of security researchers.
Additionally, the malware employs intentional code misdirection tactics to confuse analysts attempting to recover decryption keys statically. This multifaceted approach to evasion makes it challenging for security solutions to detect and for researchers to reverse-engineer the malware’s functionalities.
The continued exploitation of trusted developer tools and platforms like GitHub underscores the persistent threat of supply chain attacks. As attackers refine their methods to bypass security measures, developers are urged to exercise extreme caution when downloading software, even from seemingly official sources. Verifying download sources and scrutinizing update mechanisms remain critical for maintaining a secure development environment.