Gitlab also had same issue few weeks ago. Gitlab, once static pages are published, gives you a URL with gitlab.io ending. You can use your custom domain or subdomain by pointing CNAME or A record to Gitlab.
What users would do is, add DNS records to their DNS Manager to point their custom domain to Gitlab Pages, later will delete the Gitlab pages when not wanted any more. Scammer will simply point that same domain to his fake repository, thus hijacking customer domain.
Gitlab then made customer add a Txt Record for verification of domain. Scammer's txt record value is different from customer txt record, scammer can't modify DNS records.
What users would do is, add DNS records to their DNS Manager to point their custom domain to Gitlab Pages, later will delete the Gitlab pages when not wanted any more. Scammer will simply point that same domain to his fake repository, thus hijacking customer domain.
Gitlab then made customer add a Txt Record for verification of domain. Scammer's txt record value is different from customer txt record, scammer can't modify DNS records.