This would only be an interim solution. The attacker here sets up a fake github.com and collects credentials. So, VPN would be first trying to route over some internal hostname/IP address and probably just fail.
However, if everyone uses some VPN, the attacker can start imitating the VPN server. Or all the common ones. Redirect all traffic to a fake myvpnname.com/login with a message “you’re using your device from a suspicious location, please confirm your credentials”. You’re on a plane, so you think this makes sense, punch in your password and it’s gone!
https://en.m.wikipedia.org/wiki/Externality