Linus Torvalds’ GitHub Prank Exposes a Fake‑Commit Vulnerability

On January 25, Linus Torvalds submitted a prank README to the official Linux GitHub repository (https://github.com/torvalds/linux/tree/8bcab0346d4fcf21b97046eb44db8cf37ddd6da0) with the title “delete linux because it sucks”. The file claims the Linux source has been removed and even recommends using Windows XP.

“Hello, I am Linus Torvalds, the famous author of Linux. You can check the repo URL and the file header to verify it’s really me. I deleted Linux because I hate it and think it’s terrible. You should use this great operating system called Windows XP.”

The prank is harmless because the actual Linux source code was not deleted. Careful observers noticed that the README contains a link to a Hacker News discussion that describes a GitHub “fake‑commit” vulnerability, which allows publishing arbitrary content at URLs such as

https://github.com/my/project/blob/<faked_commit>/README.md

. These pages do not appear in the repository’s commit log or any branch, making them invisible except through the specific URL.

Normal commits include the word “commit” in the URL (e.g., .../commit/abcd1234), whereas the fake‑commit URLs omit this keyword. The prank README’s URL follows the fake pattern, and the file does not appear in the commit history, confirming the exploit.

The same vulnerability can be combined with another GitHub issue—email address impersonation—allowing an attacker to replace the author’s email in commits. An example repository (https://github.com/slimsag/linux/tree/5895e21f3c744ed9829e3afe9691e3eb1b1932ae#linux-kernel) appears to show Linus Torvalds as a contributor, but the email address was swapped, and the forged profile shows no activity.

These GitHub vulnerabilities were publicly disclosed in 2020, but the platform has not patched them, leaving them exploitable for creating convincing phishing pages.