Introduction Hello, I’m RyotaK ( @ryotkak ), a security engineer at GMO Flatt Security Inc. In October 2024, I was hunting bugs for the GitHub Bug Bounty program. After investigating GitHub Enterprise Server for a while, I felt bored and decided to try to find bugs on GitHub Desktop instead. After reading the source code of GitHub Desktop, I found a bug that allows a malicious repository to leak the user’s credentials. Since the concept of the bug is interesting, I decided to investigate other Git-related projects and found many bugs.