Ghrc.io Appears to Be Malicious

Summary

A simple typo of ghcr.io to ghrc.io would normally be a small goof. You’d typically get a 404 or similar error, finally work out the issue, fix it, and move along. But in this case, that typo appears to be doing something very malicious, stealing GitHub credentials.What’s ghcr.io?#First, a quick bit of background. ghcr.io is an OCI conformant registry for container images and OCI artifacts used by a lot of projects. It’s part of GitHub and is a very popular image and artifact repository used by open source projects.ghrc.io Is Just a Default Nginx#At first glance, ghrc.io is just a default nginx install:$ curl -i https://ghrc.io/ HTTP/2 200 server: nginx date: Fri, 22 Aug 2025 17:58:01 GMT content-type: text/html content-length: 615 last-modified: Tue, 23 Apr 2024 14:04:32 GMT etag: "6627bff0-267" strict-transport-security: max-age=31536000; includeSubDomains accept-ranges: bytes <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="http://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="http://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> Even checking other links gives a typical 404 error:$ curl -i https://ghrc.io/404/ HTTP/2 404 server: nginx date: Fri, 22 Aug 2025 17:58:04 GMT content-type: text/html content-length: 146 strict-transport-security: max-age=31536000; includeSubDomains <html> <head><title>404 Not Found</title></head> <body> <center><h1>404 Not Found</h1></center> <hr><center>nginx</center> </body> </html> Why Is It Malicious?#The concerning part comes in when looking at the OCI API’s. Those are all under the ...