Was GitHub Hacked? Inside the Suspected MITM Attack on GitHub

Incident Overview

On the afternoon of March 26, Chinese users began reporting errors when trying to access GitHub Pages, and the GitHub homepage also displayed error messages. Screenshots of the failed pages were shared, indicating a widespread access problem within mainland China.

What Is a Man‑in‑the‑Middle (MITM) Attack?

A MITM attack is an indirect intrusion method where an attacker positions a compromised computer between two communicating parties, intercepting or altering the traffic. Classic examples include SMB session hijacking and DNS spoofing.

Evidence and Indicators

One of the presented screenshots shows a certificate with an untrusted issuer linked to the QQ address [email protected]. Additional images display the suspicious certificate and the QQ account details.

Impact and Scope

The outage affected several GitHub domains and could be reproduced on major Chinese ISPs (China Mobile, China Unicom, China Telecom). Foreign networks did not experience the same problem, suggesting a region‑specific interception.

Speculation ranged from a beginner’s test environment to a deliberate large‑scale attack, with some observers noting that the hijacking appeared to target port 443 via backbone network manipulation while DNS resolution remained normal.

Timeline and Resolution

By around 15:00 CST, GitHub services were restored for Chinese users.

Historical Context

GitHub has experienced multiple accessibility incidents in the past, such as the 2013 “12306 ticket‑assistant” outage and the 2020 U.S. export‑control restrictions that affected certain users.

Brief GitHub Background

GitHub is a platform for hosting open‑source and private software projects, supporting only Git repositories. Launched in April 2008, it offers features like issue tracking, wikis, and Gist snippets. Microsoft acquired GitHub in June 2018, and GitHub later announced the acquisition of npm in March 2020.