Niik

**Name of the Vulnerable Software and Affected Versions** GitHub Desktop versions prior to 3.4.12 **Description** An attacker can access a user's credentials by convincing them to clone a repository directly or through a submodule using a maliciously crafted remote URL. GitHub Desktop relies on Git for network operations and uses the git-credential protocol to request credentials for remote hosts. A malicious URL can cause GitHub Desktop to misinterpret the credential request, sending credentials for a different host, allowing for secret exfiltration. This could improperly transmit GitHub username and OAuth token, or credentials for other Git remote hosts stored in GitHub Desktop to an unrelated host. **Recommendations** Update to GitHub Desktop 3.4.12 or greater to fix the vulnerability. As a precaution, users who suspect they may be affected should revoke any relevant credentials.