The rise of malicious repositories on GitHub

rushter.com · yakattak · 28 days ago · view on HN · news
quality 7/10 · good
0 net
Tags
apple malware microsoft rce
The rise of malicious repositories on GitHub | Artem Golubin There is an ongoing surge of malicious repositories on GitHub, and the sad thing about it is that GitHub seems not to care much. About 10 days ago, I searched for a repo on DuckDuckGo and stumbled upon a fake GitHub repo. It mimics a legitimate repository, but instead of providing usual releases, it only provides malicious Windows binaries. Linux/MacOS binaries are not available, and the information on how to build the project was removed from the README file. The description was also altered using LLMs, removing a lot of technical details. I reported this repository to GitHub, explaining the problem and showing the report from VirusTotal. To this day, the repository is still there, and the binaries are still available for download. The repo has been active for two months. The README gets constantly updated every hour so that it will appear in the GitHub search higher. Today, I saw another case of this on X , and this got me thinking about checking GitHub for more of these repositories. I was able to find more than 100 of such repositories, some of them are completely generated by LLMs to get the traffic from search engines and GitHub, while others mimic popular repositories. Notably, some repositories are MacOS/Linux specific (e.g. homebrew ), but they still only provide Windows binaries. This suggests that the whole campaign may be either automated or took very little effort. Here is a simple dork for GitHub search: path : README . md /software-v.*.zip/ Malicious links usually follow a recognizable pattern: Software-v1.9-beta.2.zip Software-v1.7.zip Software-v1.9-alpha.3.zip Some of the users seems to be registered long time ago, so I guess there is account hijacking going on. Don't be fooled, always check the repository that you are downloading. The good thing is that browsers already refuse to download the majority of these malicious files, because they are flagged by antivirus software. If you have any questions, feel free to ask them via e-mail displayed in the footer. All articles on this website are written by a human without LLM assistance. Recent posts in Security category March 15, 2026 The rise of malicious repositories on GitHub August 25, 2025 Tracking malicious code execution in Python June 23, 2025 Threat Hunting Introduction: Cobalt Strike May 04, 2022 Shady economics of proxy services November 28, 2019 Public SSH keys can leak your private infrastructure security security Share Linkedin Telegram Reddit Hacker News Twitter (X) RSS Comments There are no comments for this post. Be the first to share your thoughts. Leave a comment Name Message Post Comment
← Back to stories