Spiria logo.

GitHub source code on… GitHub

November 6, 2020.

GitHub mug.

© GitHub.

Developer and privacy activist Resynth1943 announced that GitHub’s source code had been leaked on GitHub itself, in GitHub’s own DMCA repository. But in actual fact, the upload in question was actually of GitHub Enterprise Server, not the GitHub website itself, which, while no less serious, is more accurate. According to GitHub CEO Nat Friedman, GitHub accidentally supplied some customers a complete and non-obfuscated tarball of GHES a couple of months ago; this is the code that was dumped into GitHub’s public DMCA repository, under Nat Friedman’s name. It seems that Resynth1943 wanted to send a message by choosing this repository, which serves as a history of DMCA (Digital Millennium Copyright Act) takedown requests that GitHub has received, including the Youtube-dl takedown, demanded by the RIAA (Recording Industry Association of America). On the plus side, there’s no actual hacking or compromise here. The source code was freely, if accidentally, given to customers, not exfiltrated from a compromised server. But the identity fraud shows how easy it is to impersonate someone else on GitHub. The company will probably want to fix this, unless it wants to see “Nat Friedman” being disorderly on GitHub.

Ars Technica, Jim Salter, “GitHub’s source code was leaked on GitHub last night… sort of.”