Github Security: Repeated Unauthorized Automated Force‑Pushes Rewriting Lat

[Abhishek1350]

Select Topic Area

General

Body

Summary

I am reporting an ongoing security incident involving repeated unauthorized automated pushes to my GitHub repositories. Malicious code is being injected by amending the latest commit and force‑pushing it, which causes the changes to always appear as the most recent commit on the default branch.

These pushes are not initiated from any of my local environments and continue even after full credential and integration revocation.

Observed Behavior

The unauthorized commits follow a consistent pattern that matches an automated script which:

• Malicious Code Injection: The attacker modifies core files (e.g., src/index.ts) to include a self-invoking function that fetches a remote payload using node-fetch and executes it via eval(proxyInfo).
• File Bloating/Masking: The attacker is flooding the repository with a massive volume of binary font files (e.g., fa-solid-900.woff2, fa-brands-400.ttf) in the public/fonts/ directory. This appears to be a tactic to "hide" the malicious code changes within a massive diff.
• History Rewriting: The script executes git commit --amend --no-verify followed by a forced push (git push -f). This ensures the malicious payload is always part of the most recent commit on the default branch.

As a result, the commit history is rewritten and the malicious changes always appear as the latest commit. even in private repos that don't even have contributers, also in repose where i'm a contributer.

Remediation Already Completed

• Account password reset
• Two‑factor authentication enabled
• All SSH keys removed
• All personal access tokens revoked
• All OAuth apps and GitHub Apps revoked
• All deploy keys removed
• All webhooks removed
• GitHub Actions disabled
• All collaborators removed
• Security log reviewed (no suspicious interactive login events)

Despite completing all of the above, unauthorized automated force‑pushes continue.

Impact and Scope

• The issue affects GitHub‑hosted repositories only
• No corresponding activity occurs in local repositories
• I am aware of similar reports from other developers, including open‑source maintainers, suggesting a possible coordinated attack

Request for GitHub Security Team

I am requesting a security escalation and backend investigation, including:

• Identification of the actual actor responsible for these pushes
• (user token, GitHub Actions, GitHub App, self‑hosted runner, or other automation)
• Tracing the push token or runner responsible for the force‑pushes
• Verification of any legacy, temporary, or internal authorizations not visible in account or repository settings
• Guidance on any additional containment or recovery steps