Gitlab also had same issue few weeks ago. Gitlab, once static pages are published, gives you a URL with gitlab.io ending. You can use your custom ___domain or subdomain by pointing CNAME or A record to Gitlab.
What users would do is, add DNS records to their DNS Manager to point their custom ___domain to Gitlab Pages, later will delete the Gitlab pages when not wanted any more. Scammer will simply point that same ___domain to his fake repository, thus hijacking customer ___domain.
Gitlab then made customer add a Txt Record for verification of ___domain. Scammer's txt record value is different from customer txt record, scammer can't modify DNS records.
What users would do is, add DNS records to their DNS Manager to point their custom ___domain to Gitlab Pages, later will delete the Gitlab pages when not wanted any more. Scammer will simply point that same ___domain to his fake repository, thus hijacking customer ___domain.
Gitlab then made customer add a Txt Record for verification of ___domain. Scammer's txt record value is different from customer txt record, scammer can't modify DNS records.