It has been pointed out that mistyping 'ghcr.io' into 'ghrc[.]io' could lead to the theft of GitHub credentials
It has been reported that the domain 'ghrc[.]io,' which closely resembles GitHub's container registry '
ghrc.io Appears to be Malicious | Brandon Mitchell
https://bmitch.net/blog/2025-08-22-ghrc-appears-malicious/
According to software engineer Brandon Mitchell, visiting ghrc[.]io simply displays a typical default Nginx web server page, but the /v2/ endpoint mimics the behavior of OCI but behaves differently from default Nginx.
Compared to other registries, the 401 status, www-authenticate header, and error message are similar to the standard in the OCI specification, but the www-authenticate header instructs various OCI clients, such as Docker, containerd, podman, and the various CRIs used by Kubernetes, to send user credentials.
'There is no legitimate reason for this header to be configured on a default nginx installation, and the rest of the server indicates this is not a container registry. All indications point to this being a typosquatting attack aimed at credential theft,' Mitchell said.
For example, credentials could be leaked by running 'docker login ghrc.io,' using the 'docker/login-action' GitHub action and specifying ghrc[.]io as the registry, creating a Kubernetes secret with the registry credentials for ghrc[.]io, and then attempting to pull an image from the mistyped host.
'If you accidentally logged in to the wrong server, change your password, disable any PATs you used, and check for any malicious activity within your GitHub account,' Mitchell said. 'An attacker could use these credentials to push malicious images to the ghcr.io repository, or, depending on the login credentials used, gain direct access to your GitHub account.'
Related Posts:
in Web Service, Security, Posted by log1p_kr