New kind of GitHub fraud: how is this happening and how do HN users handle it?

10 points by jph a day ago

There's a fraudulent GitHub account that's stolen my bio and cloned one of my repos. I've reported to GitHub.

I'm seeking HN advice about the technical git aspects, because the fake user has somehow inserted themself as the "author" of many commits, then listed me as the "committer".

What are any ways to help protect from this kind of attack and/or fraud? And how are HN people protecting from this kind of attack, meaning how to verify genuine authors and genuine repos, and block fake authors and fake repos?

Here's me and the real repo:

https://github.com/joelparkerhenderson/architecture-decision-record

Here's the fake user and the fake commits:

https://github.com/bestsoftwareandcodereviews3/architecture-decision-record/commits?author=bestsoftwareandcodereviews3

The problem seems to be much larger than just me, because there are many similar fake accounts, that are stealing bios and forging commit histories for many popular open source repos such as Granite, Fastlane, Apollo GraphQL, einops ML, etc.

https://github.com/bestsoftwareandcodereviews1

https://github.com/bestsoftwareandcodereviews2

https://github.com/bestsoftwareandcodereviews3

https://github.com/bestsoftwareandcodereviews4

etc.

Update: I'm now in touch with some of the other real authors. One discovered the fraud 10 days ago, reported it to GitHub, yet still hasn't had any response.

KomoD 12 hours ago

> I'm seeking HN advice about the technical git aspects, because the fake user has somehow inserted themself as the "author" of many commits, then listed me as the "committer".

Yes, that's how git works. As simple as git commit --author="John Doe <john@doe.org>"

Enable Vigilant mode on Github and any unsigned commits will be shown as "Unverified" https://docs.github.com/en/authentication/managing-commit-si...

Teknomancer a day ago

Probably the easiest solution to this problem would be—don't use GitHub.

sky2224 a day ago

What good would using other repository services do in this case when someone can still just rip the repo?
- Teknomancer a day ago
  
  Be less of an attack vector.

gitgud 17 hours ago

> meaning how to verify genuine authors and genuine repos, and block fake authors and fake repos?

Signed commits maybe…

In my opinion, you’re thinking about this wrong. GitHub is the same as any other online platform…

It doesn’t matter “who you say you are”, it’s the reputation that people trust (follows, stars etc…)… and reputation cannot be faked (very easily)

skydhash a day ago

I think one of the easiest way is to buy a domain name, create a project pages and links to your real github profile and projects you've participated on. It's harder to spoof domain name.

Anyone else just need to do some due diligence. You don't trust random pages on Facebook, so why should you trust Github profiles either? And I'm not saying to trust your project page, but it's way easier to verify that way. And that's why I like when open source projects have their own website.

romanobro56 a day ago

How did you find the fraudster?

jph a day ago

A longtime collaborator emailed me directly to point me to the fake profile. I found the other fake profiles just by fiddling with the last character.