Account Hijacking on GitHub Wreaks Chaos to the Kodi Community

Last updated July 8, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

One of the largest and most popular sources of Kodi add-ons is GitHub, the web-based file hosting and version control service. While there are many repositories and online platforms that offer this type of software, GitHub is preferable because DMCA notices are not completely dominating the field (although they do exist), gives users direct access to the latest versions of the add-on code, and if someone has set up “Git” they may streamline the downloading process for their favorite add-ons on Kodi. However, there’s a problem with GitHub, and one that quite often causes a hotpot of confusion and a messy jumble to the Kodi community.

GitHub allocates a unique URL to each user who signs up with the service, and many people are using those URLs to pull updates from the corresponding GitHub repository. Now, the problem with this is that there can be multiple users with the same username, so their “unique” URL will be exactly the same. If the creator of a repository decides to delete it for some reason, another one with the same username and URL may clone it and start from there. This will result in people pulling updates from someone who isn’t the original developer, and the chances of realizing it will be slim.

fake_github_kodi

source: torrentfreak.com

As TorrentFreak points out, this has happened again and again with Kodi add-on repositories during the past few years, with the most recent example being the “13Clowns” repo. In this case, the imposter who took the place of the deleted repository didn’t push malware or ransomware to the many thousands of Kodi users who received updates to their “Exodus” add-on but directly promoted the TVAddons platform which was previously unrelated to 13Clowns. This led the platform admins to refuse any involvement in the incident through a tweet, as some were quick to point the finger at them.

https://twitter.com/tvaddonsco/status/1103481795335647232

While GitHub holds people responsible for what they download, they do not allow the storing of code that was specifically created to exploit others. To prevent such situations of “repository hijacking” from happening again in the future, they have introduced a “repository namespace retirement” system, according to which the namespace of any open source project that had more than 100 clones in the week leading up to the owner’s account being renamed or deleted will be retired. This way, no one will be able to create a repo with the same name, and so users will not receive any updates, malicious or not. Finally, reporting such activities to GitHub is an excellent way to keep things safe in the platform, while developers who do not plan to continue working on a project are urged to keep their repository stagnated instead of deleting it.

Have you ever received a GitHub update that came from a “sham developer”? What was downloaded in that case? Share your experience in the comments beneath, and don’t forget that you have the power to help us reach to more people out there by sharing our stories through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: