This hack works by disabling the real cursor (using a custom CSS cursor image set to a transparent png), then moving around a fake cursor image using JS.
See by comparison this hack I made a few months ago [1], which uses a dynamic CSS cursor image (drawn in JS). The interesting thing it shows is that CSS cursors can escape the viewport, leading to possible security issues.
Same here on a non-hdpi screen (Dell Chromebook 11). The fake padlock appears inside the body and it's quite clearly not part of the browser. Not sure if something changed since it was built or maybe it only works in certain browsers, but certainly doesn't seem like an exploitable issue here.
Nice hack. It's not obvious whether it still works now that GitHub Pages uses HTTPS, though the fact that clicking on the page triggers the same action as clicking the page icon/padlock suggests it does.
I'm on a Linux machine and figured out the trick fairly quickly: clicking the green padlock does not perform the same action. That's part of the hack too, the interface that pops up is styled like the Windows dialog and isn't interactive. (Clicking on it simply dismisses it.)
It's quite convincing otherwise, and that's very frightening. :)
See by comparison this hack I made a few months ago [1], which uses a dynamic CSS cursor image (drawn in JS). The interesting thing it shows is that CSS cursors can escape the viewport, leading to possible security issues.
[1]: https://jameshfisher.github.io/cursory-hack/