Typo-Squatting Attack Steals GitHub Credentials via ghrc.io
2025-08-25
A simple typo, 'ghrc.io' instead of 'ghcr.io', has led to a malicious attack stealing GitHub credentials. The attacker uses 'ghrc.io' to mimic GitHub's container registry, ghcr.io. While seemingly a default Nginx installation, 'ghrc.io' responds to OCI API requests (/v2/) with a 401 Unauthorized error and a www-authenticate header, directing clients to send credentials to https://ghrc.io/token. This cleverly mimics legitimate container registries. Logging into 'ghrc.io' results in credential theft. Attackers could use these credentials to push malicious images or directly access GitHub accounts. Check if you've logged into 'ghrc.io' and change your passwords and PATs immediately.
Read more
Tech
typo squatting