Back to blog

Mockito docs hijacked

Monday, September 29th, 2025

S

Simon Wijckmans

A malicious installation link was found on a popular open source project github wiki, it pointed to a third party URL (https://yip[.]su/2F5rd4) flagged by VirusTotal. If your project uses Github wikis lock them down and restrict access.

What happened

While reviewing documentation for mockito (Most popular Mocking framework for unit tests written in Java) someone noticed its Wikis installation section linked users to shortened url (https://yip[.]su/2F5rd4). Thw link was unrelated to the project and it is flagged as malicious on VirusTotal. The link lived on the Wiki’s home page for over 3 years before it was removed.

Issue discussion: https://github.com/mockito/mockito/issues/3721

Wiki diff showing the insertion/removal: https://github.com/mockito/mockito/wiki/Home/_compare/7303a66959d7823864637d280a92b2a51b68c467...eb1df9c48fd3529bed997a81b4a2100e8c562fcd

Malicious short link: https://yip[.]su/2F5rd4

VirusTotal report: https://www.virustotal.com/gui/url/d05eafed450060b4cf8b044bcd7f74f0e1131d49cd2ea76b84de934e55390233

Evidence

The Wiki diff below shows injected html that renders download buttons and  includes a Windows link to the malicious short URL:

[Download installer](http://goo-gl[.]me/kj2PI)
## Installation

<a href="https://yip[.]su/2F5rd4"><img src="https://github[.]com/aidenlab/JuiceboxLegacy/wiki/images/winlogo.png" width=100 align="middle"/></a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://yip[.]su/2F5rd4">Mockito for Windows</a>

<a href="https://github[.]com/mockito/mockito/releases"><img src="https://github[.]com/aidenlab/JuiceboxLegacy/wiki/images/maclogo.png" width=100 align="middle"/></a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://github[.]com/mockito/mockito/releases">Mockito for Mac</a>

<a href="https://github[.]com/mockito/mockito/releases"><img src="https://www.rvmis[.]com/vendor/Tux.svg.png" width=100 align="middle"/></a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="https://github[.]com/mockito/mockito/releases">Mockito for Linux</a>

Rendered view: https://github.com/mockito/mockito/wiki/Home/_compare/7303a66959d7823864637d280a92b2a51b68c467...eb1df9c48fd3529bed997a81b4a2100e8c562fcd?short_path=355883c

Screenshot of docs

The Windows button resolves to https://yip[.]su/2F5rd4.

Other popular projects can also be affected. This is not an isolated incident, any popular repo with an open or wiki is vulnerable to this attack method.

Why

Github Wikis are separate from code repo and with their own permissions on open public project and changes often bypass PR/code review process, so anyone can add malicious link and can be unnoticed and indexed by search.

What you can do to protect your Open Source project

  • disable or restrict Wiki editing to select collaborators only
  • move installation docs into /docs (or README) and require PR reviews

Takeaway

Docs are part of your project, treat them as actual code and follow the same code/review process.

S

More About Simon Wijckmans

Founder and CEO of c/side. Building better security against client-side executed attacks, and making solutions more accessible to smaller businesses. Web security is not an enterprise only problem.