Fork Commit Detector

GitHub Commit URL

Paste a GitHub commit URL or enter owner/repo @ sha

Fork commits vs. imposter commits

A fork commit is a technical state: a commit that exists in GitHub's object store but is not in any branch of the repository you're referencing. Due to Git's cross-fork object sharing, commits pushed to any fork become accessible via the parent repository's namespace.

An imposter commit describes intent: using a fork commit to masquerade as part of a trusted repository. Reference one in a CI/CD pipeline (uses: owner/repo@sha) and GitHub fetches it—no merge or review required.

Not all fork commits are malicious. Legitimate scenarios include unmerged PR commits, abandoned branches, or force-pushed history. But the potential for abuse makes them worth investigating.

SITF: Imposter Commits (T-V002)
Chainguard: What the fork?
kernel.org: Cross-fork object sharing is not a bug
StepSecurity: The warning everyone ignores
Truffle Security: Deleted repo data

Real-world incidents & research

TeamPCP Supply Chain Attack (Mar 2026) Attack
Malicious fork commits injected into Aqua Trivy, setup-trivy, and KICS actions
trivy setup-trivy kics
Angular Compromise via Dev Infra Research
Adnan Khan demonstrates fork commit exploitation in Angular's CI/CD
Clinejection Research
Fork commits + workflow injection in AI coding tools
cline
reviewdog/reviewdog #2079 Attack
Fork commit used to inject malicious code via reviewdog action
action-setup
Truffle Security: Anyone can access deleted GitHub data Research
Accessing deleted and private repository data via cross-fork object sharing

Try it with known fork commits

Fork commits vs. imposter commits

Real-world incidents & research