Hello, a few weeks ago the original maintainer of the syncthing-fork app ‘catfriend1’ suddenly disappeared. His account in GitHub was deleted. No one had contact with them since then.

Shortly after the repo was moved to a brand new account ‘researchxxl’ who was not able to properly explain how or why the repo was handed over to them nor why the original maintainer handed over the release key to them. Or why the original maintainer did not bother communicating this to the community in advance.

The worst case scenario is that the original maintainer was hacked and the repo taken over. The new maintainer already pushed new software versions to f-droid. The app is used to synchronize data across devices and thus has full filesystem access. A breach would be very dangerous for its users. The release key should be invalidated to avoid releasing potentially malicious code in the future.

The current release v2.0.12.1 seems to be free of malicious code. The latest "trusted" release by the original maintainer is v2.0.11.2 from mid of November.

Community member nel0x offered to take over maintenance of the package since he also maintains the Google Play Store package. This is not yet agreed upon by the community but he is a likely successor. For now, the package should be reverted to the latest trusted release and frozen/keys invalidated to avoid misuse.

Thank you!

Resources:

• F-droid app: https://f-droid.org/packages/com.github.catfriend1.syncthingfork
• syncthing forum discussion: https://forum.syncthing.net/t/does-anyone-know-why-syncthing-fork-is-no-longer-available-on-github/25661/144
• new (untrusted) repo: https://github.com/researchxxl/syncthing-android/issues/16#issuecomment-3618898346

Edited Dec 06, 2025 by