Auto force push attacking all repos and branches

[mehediScriptDev]

did you guys experience a kinda thing in github, auto force pushes happening on every repo and all branches, and a config.bat file being injected automatically? It's continuously happening to our office organization even after we clean it up

when github solve this issue? any idea?

[SwapnilSadhu007]

This behavior is not caused by GitHub itself — it indicates that your local environment or organization machines have been compromised by a malicious script. GitHub does not auto‑force push or inject files into repositories.

Steps to resolve:

1. Audit all developer machines for malware or unauthorized scripts (especially anything running git push --force).
2. Rotate all GitHub credentials (PATs, SSH keys, OAuth tokens) immediately.
3. Check your organization’s GitHub settings for suspicious integrations or compromised accounts.
4. Enable 2FA for all users and enforce SSO if available.
5. Clean affected repos by removing injected files and reviewing commit history.
6. Contact GitHub Support directly with details so they can confirm there is no account‑level compromise.

In short: this is a local security issue, not a GitHub platform bug. Securing your environment and rotating credentials will stop the auto force pushes.

[Gecko51]

The previous answer is on the right track -- this is not a GitHub platform issue, it's a compromised developer machine (or multiple machines in your org). The config.bat injection pattern specifically is a known malware behavior on Windows dev environments. Here's what makes it distinctive and what to look for:

Where the attack is likely running from on infected machines:

• Git hooks in the .git/hooks directory (check pre-commit, post-commit, pre-push hooks for unauthorized scripts)
• Windows Task Scheduler -- run schtasks /query /fo LIST /v and look for anything git-related that you didn't add
• Startup folder (shell:startup) and registry run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)

Immediate containment steps:

1. Enable branch protection rules on all your org repos right now (Settings > Branches). At minimum, require pull request reviews and disable force pushes from everyone except admins. This won't fix the root cause but stops the damage while you investigate.
2. Revoke ALL personal access tokens and deploy keys on the organization. Go to org Settings > Security > Active tokens and kill everything. Re-issue only what's needed after cleanup.
3. Check GitHub Actions workflow files (.github/workflows/) in affected repos for anything that was injected -- attackers often add a step that exfiltrates secrets.

Finding patient zero: Look at the git commit metadata on the injected commits. The author email and machine name (often visible in commit metadata) can help identify which developer's machine is the source.

Once you've secured credentials and enabled branch protection, the force pushes will stop even if a machine is still infected.