Zhang, Yueke, Liang, Anda, Wang, Xiaohan, Wisniewski, Pamela, Zhang, Fengwei, Leach, Kevin, & Huang, Yu. (2025). Who’s pushing the code? An exploration of GitHub impersonation. In *Proceedings of the International Conference on Software Engineering*, pp. 704-716. https://doi.org/10.1109/ICSE55347.2025.00065
GitHub is one of the largest online communities where people work together to build and share open-source software. However, impersonation—when someone pretends to be another user—is becoming a serious concern. People who impersonate others can try to sneak into projects, change code without permission, or spread false information. Some real-world attacks have already happened because of this.
This study is the first to look at how impersonation affects GitHub. The researchers interviewed 17 open-source contributors to learn how they think about impersonation and what could be done to prevent it. They found that most users aren’t very aware of impersonation risks and don’t realize how serious the consequences could be. But once these users saw a demonstration of how impersonation works, they became much more concerned.
The study also found that current protections—like signing code commits—aren’t used widely, partly because they’re not easy or convenient. The researchers discussed new ways to prevent impersonation based on what participants suggested. They also looked at 12.5 million GitHub commits to see how impersonation shows up in real-world data. Interestingly, they discovered that impersonation is hard to detect right now because GitHub treats it the same way as normal collaboration events, like submitting code through a pull request. This makes it difficult to track or flag impersonation when it happens.
Fig. 1.
The figure illustrates an impersonation scenario on GitHub. The attacker eve aims to introduce malicious code into a repository; she can pretend to be a credible developer “Bob” by configuring her commit email to match bob’s. The tactic causes eve’s potentially malicious commits to appear as though they were created by bob, in turn gaining trust from individuals in a victim repository.
