On June 28, 2018, an unknown entity gained administrative control of the Gentoo GitHub Organization. The attacker immediately removed all access for Gentoo developers and proceeded to make malicious changes to several repositories. The incident lasted until July 3, 2018, when GitHub unlocked the organization after remediation efforts.

The root cause was identified as the compromise of an organization administrator’s password. Evidence suggested a password reuse scheme, where a password disclosed on one site made it easy to guess the password for the GitHub account.

The compromise resulted in approximately five days of unavailability for Gentoo’s GitHub operations. Pull request CI was down, and all past pull requests were disconnected and closed, requiring users to open new ones. Malicious content, including “rm -rf” commands, was briefly available in repositories like gentoo/gentoo, gentoo/musl, and gentoo/systemd, though technical guards likely prevented execution by end-users.

Gentoo developers and infrastructure staff escalated the issue to GitHub support, leading to the organization being frozen. Gentoo regained control, reverted the malicious commits through force-pushes, and restored the defaced content. Post-incident actions included implementing 2FA requirements, reviewing password policies, and improving backup procedures for GitHub settings.