Gentoo GitHub hack modified ebuilds

Gentoo's 2018 incident hit GitHub, not Gentoo's primary infrastructure. The attacker gained access to a GitHub organization administrator account and used that control to remove users, invite another malicious administrator, and alter repositories.

The visible payload was destructive. Malicious commits added rm -rf commands to ebuild-related content and defaced repository files. Gentoo later noted that technical guards made execution by ordinary users unlikely, but fresh clones from the affected GitHub repositories during the window could contain hostile content.

The main Gentoo development and distribution infrastructure remained separate. Gentoo told users that the default mirroring infrastructure and hardware run by Gentoo Infrastructure were unaffected, and that users could verify repository provenance through Portage verification.

The operational damage was still real. GitHub use was unavailable for several days, pull-request workflows were disrupted, and old pull requests were disconnected from their commits. This record tracks the compromised GitHub source mirror and ebuild changes, not a compromise of Gentoo's canonical package distribution path.

Motive

Disruption Protest

Attribution

Person

Cause

Compromised Account Credentials

Transitive

No

Actor

Individual Hacker

• Gentoo Linux GitHub organization hacked and defacedarstechnica.com
• Github Gentoo organization hacked - resolvedgentoo.org
• Gentoo GitHub 2018-06-28 incident reportwiki.gentoo.org
• GLSA 201807-01: Gentoo GitHub organization compromisesecurity.gentoo.org