Photo by GitHub on An update on GitHub availability
GitHub — the giant code-sharing site that’s behind nearly every app, browser, and service you use — has been having a rough year. Through the spring of 2026 the platform has racked up dozens of outages, a bug that quietly lost some users’ work, and a string of attacks that turned trusted developer tools into delivery vehicles for malware. Independent reliability tracker IncidentHub counted 257 incidents on the platform between May 2025 and April 2026, 48 of them rated as major outages. February 2026 alone had 37 incidents — the worst month in that period.
That sounds technical, but the knock-on effects reach you. The apps on your phone, the password managers and security tools you rely on, the security patches your operating system pushes you — most of them are built and updated through GitHub. When the platform stalls, fixes ship late. When attackers slip in, malicious code can ride out into otherwise-trusted programs.
A run of bad security news, too
In late April, attackers tampered with a popular developer security scanner called Trivy and used it as a stepping stone to push poisoned versions of the Bitwarden command-line password tool to thousands of developers — exactly the kind of incident that ripples into the apps everyday users install. Around the same time, security researchers caught a self-spreading worm nicknamed “Shai-Hulud” silently copying credentials and cloud keys out of compromised software packages and stashing them in public GitHub repositories.
These weren’t break-ins of GitHub itself, but the platform is where the affected projects live and where the malicious updates were published. When developers can’t trust that the code they pull from GitHub is the code the original author wrote, the safety guarantee everyone — including you — relies on starts to crack.
The Ghostty departure
The reliability pain has now broken something more emotional: trust. On April 28, 2026, Mitchell Hashimoto — co-founder of HashiCorp, GitHub user number 1299, and a daily user since February 2008 — published a personal blog post announcing that his open-source terminal app Ghostty would be moving off GitHub. “This is no longer a place for serious work if it just blocks you out for hours per day, every day,” he wrote. He had spent the previous month keeping a journal: every day a GitHub outage interrupted his work, he marked an X. “Almost every day has an X.”
The two specific incidents that pushed him over the edge were an April 23 bug where GitHub’s “merge queue” silently corrupted code merges across hundreds of repositories — a quiet kind of data loss that’s especially scary because nobody notices until somebody goes looking — and an April 27 outage that took down GitHub’s search service for hours. Hashimoto’s post triggered a wave of similar reflections from other long-time users; a widely-shared companion piece by developer Vito Sartori echoed the same frustration, and discussions sprang up on Hacker News and Mastodon about which alternative platforms — Forgejo, Gitea, self-hosted GitLab — projects might move to.
GitHub’s response
GitHub has acknowledged the slide. The same day Hashimoto posted, GitHub’s leadership published an unusually candid blog titled “An update on GitHub availability,” apologizing — “Both of those incidents are not acceptable, and we are sorry for the impact they had on you” — and pledging that “availability first, then capacity, then new features” would be the new ordering of priorities.
In a separate analysis, GitHub blamed rapid growth, services that are too tightly coupled (so a problem in one area cascades into others), and an inability to “shed load” from misbehaving clients when something starts going sideways. GitHub Actions — the automation system most modern projects use to build, test and deploy software — has been the worst-affected piece, with 57 outages in the past year. The chart GitHub itself published, showing record-breaking pull request, commit, and repository-creation rates, makes the strain visible: the platform is being asked to handle more than it was built for.
What this means for you
For everyday users there’s no single button to press, but the broader picture is worth watching. A platform with this much of the world’s software supply chain piled on top of it can’t comfortably absorb a year of weekly stumbles, and the companies whose apps you trust are the ones bearing the cost. Several large open-source projects are now experimenting with alternatives. Whether GitHub’s apology turns into measurable reliability — and whether high-profile departures like Ghostty’s stay isolated or become a trend — will be a story to follow over the coming months.
The most practical takeaway is this: be a little more skeptical of urgent, unexpected software updates, especially for security-related tools. Stick to your usual update channels (your operating system’s built-in updater, your browser’s official store, the vendor’s own website you typed in by hand) and avoid clicking install prompts that arrive out of nowhere. The supply chain that delivers the code is having a bad year. Your own caution remains the strongest link.
Sources
- Ghostty Is Leaving GitHub — Mitchell Hashimoto
- An update on GitHub availability — The GitHub Blog
- GitHub availability report: March 2026 — The GitHub Blog
- GitHub acknowledges recent outages, cites scaling challenges — InfoQ
- GitHub says sorry and says it will do better as uptime slips — The Register
- Mitchell Hashimoto says GitHub ’no longer for serious work’ — The Register
- GitHub Outages 2025–2026: Reliability Analysis — IncidentHub
- GitHub’s Reliability Crisis: 8 Outages in 2 Months — byteiota
- Checkmarx confirms GitHub repository data posted on dark web — The Hacker News
- Bitwarden CLI compromised in ongoing supply-chain campaign — The Hacker News
- On Leaving GitHub — Vito Sartori