It said examination of logs showed that from 8 April to 27 June, various GitHub accounts were being probed, with the attackers presumably looking for vulnerable accounts.
The report said unknown individuals obtained control of an administrator account for the Gentoo GitHub mirror and prevented Gentoo developers from gaining access to the mirror and its repositories.
"We do not believe the private keys of the account impacted were at risk, and so the Gentoo-hosted infrastructure was not impacted by this incident."
Gentoo is a Linux distribution meant for advanced users. The source is compiled locally depending on user preferences and is often optimised for specific hardware. Some larger packages are offered as precompiled binaries, and the same applies to those which have no source code available.
The source code repository GitHub was recently acquired by Microsoft for US$7.5 billion (A$9.79 billion) in Microsoft stock.
The Gentoo project said after gaining access, the attackers "then proceeded to make various changes to content".
The Gentoo developer and infrastructure teams contacted GitHub support and the Gentoo mirror was frozen by GitHub staff.
It said the project had regained control of the Gentoo GitHub mirror and reverted the bad commits and defaced content.
On the plus side of the way things were handled, the project lauded its quick reaction to the situation and the speedy response from GitHub.
The cons were initial unclear communications, failure to block access to the repositories via git and the lack of a back-up copy of the way the mirror was organised.
"Numerous Gentoo developers have personal contacts at GitHub, and in the security industry and these contacts proved valuable throughout the incident response," the report said.
"The attack was loud; removing all developers caused everyone to get emailed. Given the credential taken, its likely a quieter attack would have provided a longer opportunity window.
"The method by which the attackers pushed commits (force pushing their commits) made downstream consumption more conspicuous; this would have blocked git from silently pulling in new content to existing checkouts on 'git pull'."