Skip to content
Tech News
← Back to articles

I found 10k GitHub repositories distributing Trojan malware

2026-06-18 | original
read original more articles
Why This Matters

This article highlights the widespread distribution of Trojan malware through seemingly legitimate GitHub repositories, exposing a significant security threat for developers and consumers. It underscores the importance of vigilant monitoring and proactive measures in the open-source community to prevent malicious code from spreading. The incident also reveals gaps in platform moderation that need addressing to enhance cybersecurity.

Key Takeaways

How I found 10,000 GitHub repositories distributing Trojan malware

This is the story of how I found 10,000 repositories on GitHub that distribute Trojan malware. They are all from different contributors, have different names, and are not forks of other repositories. But they share a common pattern, which is what allowed me to write a script to find such repositories.

Introduction

I have a project on GitHub, and I wanted to check whether search engines had indexed it. I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results, with the exact same name and description. It was a copy of my repository with all the commits, and I was listed as a contributor. But an hour ago, another commit was pushed with a change to the readme. A link to a zip archive has been added to it.

I was choosing appropriate tags for another one of my projects on GitHub. I clicked through those tags to look at similar projects. In the list, I found a repository whose name and description matched exactly those of another repository on that list. It turned out that it also contained copies of all the commits from that repository, and two hours ago, a link to a zip archive has been added to the readme.

After monitoring these two repositories, I discovered that every few hours they delete the previous commit and push the exact same commit again. This commit contains only one change: adding a link to the archive in the readme file.

I submitted a request to GitHub support asking them to delete these repositories. Two weeks passed and nothing has changed; GitHub support hasn’t responded. I discussed with an AI what else could be done about this, but it didn’t offer any useful advice. I opened a thread on GitHub, and three people replied with the same AI slop that was of no use at all.

Another month later, GitHub support sent me an email saying that they had removed these repositories.

You can open other similar repositories, look at the latest commit, and see that a link to a zip archive was added to the readme a few hours ago:

https://github.com/Dicrida123/java-sdk

... continue reading

Explore topics: github trojan malware repositories github zip archive
Related:
.gitignore Isn't the Only Way to Ignore Files in Git
AMD silently removes memory encryption from consumer Ryzen CPUs
The Forge We Deserve
Made a free macOS menu bar app that fixes typing in the wrong keyboard layout
Anthropic Is Bringing Together AI Design and Coding in Claude

© 2026 GoKawiil

About | Editorial Policy | Contact