GitHub flooded with malware repos spoofing real projects–no response from GitHub
This isn’t just one or two cases; it looks like a massive campaign. The repos often copy a real project’s README and structure, though reworded through an LLM, but contain malicious code distributed through releases or sometimes attachments. Here’s one example: https://github.com/ojas1103/CircleProgressKit
Take care not to actually download this unless you know what you’re doing. This is malware.
Some of these have a high number of stars on occasion, though they are sometimes difficult to find because the Threat Actor appears to be constantly force pushing code to force GitHub to re-index it, so they have to be discovered through external indexes.
The malware seems to predominantly contain Redline infostealers. It appears that they may even include some of the recent more advanced 2FA credential stealers.
The worst part? These aren’t getting taken down despite multiple reports. GitHub appears to be a black hole. If someone downloads a spoofed repo thinking it’s safe, they could be running malware. I don’t know how many people have been affected, but it seems to be escalating.
At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?
5 comments
[ 3.2 ms ] story [ 19.6 ms ] threadNot read any thriller / conspiracy novels? :-) The way is to do exactly what you're doing here: take the news public. Very public. The more the merrier. Post to HN, LinkedIn, Facebook, Slashdot, Twitter, TikTok, Reddit, etc. Send email to every news/media outlet you can find contact info for. @mention people who work for CNN, MSNBC, ABC News, Fox News, CBS News, Reuters, Associated Press, etc. on Twitter, or find them on LinkedIn and message them. Write up a press release and submit using PRNewsWire and such-like. Record a video and post on Youtube. Contact the Attorneys General for all 50 US states. And so on.
Edited to add: I’ve also been hoping that I could avoid giving the attackers too much of a heads up, but at this point the risk is higher that nothing gets done about it at all.
So your report might get looked at in half a year. Less if they have working filters to prioritize reported malware.