My domain got abused on GitHub Pages
rmeertens
60 points
18 comments
May 19, 2026
Related Discussions
Found 5 related stories in 80.3ms across 8,303 title embeddings via pgvector HNSW
- GitHub is investigating unauthorized access to their internal repositories splenditer · 321 pts · May 20, 2026 · 58% similar
- GitHub confirms breach of 3,800 repos via malicious VSCode extension Timofeibu · 702 pts · May 20, 2026 · 56% similar
- GitHub Compromised claaams · 95 pts · May 20, 2026 · 55% similar
- A GitHub Issue Title Compromised 4k Developer Machines edf13 · 368 pts · March 05, 2026 · 53% similar
- GitHub is sinking herbertl · 220 pts · May 10, 2026 · 53% similar
Discussion Highlights (8 comments)
Gigachad
Seems like GitHub could solve this by making users verify they own a domain name by adding a value to a txt record rather than just seeing the domain points to github and letting any repo use it.
tamimio
>how long it’s been abused? I would say probably 10 years, I remember reading about the CNAME github issue around 2015 or so, as before that most used to use jekyll with gh pages, was very popular among indie developers
halapro
You told your NS to forward any request to GitHub, a platform you don't own. I think this is the expected outcome. It's good you noticed and shared your findings, but to me this "works as intended"
pigbearpig
You wildcarded any traffic to github.com and thought, "eh, they probably check" and are wondering who is at fault? It's you. You didn't think through the consequences, and you could learn a bit more about DNS.
est
Your DNS config 5-7 rows are the culprit. Don't point a wildcard domain to Github. It's a wildcard and dangerous.
CodesInChaos
Why is securely setting up custom domains for github pages so error prone? The `<user>.github.io` CNAME record already contains the username. So why can another user steal it? edit: apparently CNAME can't be used for TLD+1, only for subdomains, so you have to use a more error prone approach for those.
usagisushi
Practically, it's not limited to GitHub Pages, though. By the way, even while a custom domain is still pending verification, the GitHub Pages LB will route the request based on the Host header, allowing for the following: dig +short github.io | head -1 185.199.108.153 curl -H "Host: 42.news.ycombinator.com" 185.199.109.153 hello Another fun trick: You can also use wildcard DNS services like nip.io/sslip.io for alias domains, such as `my-page.185.199.108.153.sslip.io`. (Not sure of any practical use cases, though.)
ardeaver
Something similar once happened to me with an old domain with nameservers I had pointed to DigitalOcean from my registrar. Managing DNS through DigitalOcean (although, this should be possible with any DNS service) requires both pointing the nameservers to that service and adding the domain to your account. If you delete the domain from your account, like I had, but forget to update the nameservers with your registrar, anyone else can claim the domain. Theoretically, if you redirect the nameservers first and then add the domain to your account, someone could swipe it from you, I guess. Though it would basically have to be pure luck. Why is it always slot machines though?