Login
You're viewing the mstdn.social public feed.
  • Jun 18, 2026, 8:59 PM

    This is the story of how I found 10,000 repositories on GitHub that distribute Trojan malware. They are all from different contributors, have different names, and are not forks of other repositories. But they share a common pattern, which is what allowed me to write a script to find such repositories orchidfiles.com/github-reposit Github and say no more. They are too busy with AI and replacing staff with bots. So be careful downloading stuff on your dev box.

    💬 8🔄 247⭐ 242

Replies

  • Jun 18, 2026, 10:23 PM

    @nixCraft great work! 🫡🥰

    Just a point of clarification question. When you say: 'Each of these repositories contains a zip archive with a Trojan.'

    Is this a link to a zip archive in README.md? Or does this zip archive decompress and auto execute on a Windows system when the repo is downloaded?

    This could be evidence of complicity, no? An AI with access to thousands of repos suggests an inside job?

    Thank God i switched to Codeberg.org a while back...

    💬 1🔄 0⭐ 1
  • Jun 18, 2026, 10:36 PM

    @nixCraft if these are public repos, could there be an SEO aspect to this?

    Lots of backlinks from git to a zip archive trojan url could rise this url up the results pages on Google?

    Just a thought...

    💬 1🔄 0⭐ 0
  • Jun 18, 2026, 11:49 PM

    @handi @nixCraft i think it's highly likely this behavior is SEO. both the targeting of new repos that don't yet have a big search engine presence, and the frequent updates to make it look like the most recently updated hit. slop farms use similar tactics by constantly republishing the same articles over and over to pump up their relevancy in search engines.

    💬 1🔄 0⭐ 1
  • 💬 0🔄 0⭐ 0
  • Jun 19, 2026, 1:34 AM

    @nixCraft Whelp, I've been cutting-n-pasting some of those malware links and they're all 404-ing, so looks like someone in GitHub is listening after all?

    💬 0🔄 0⭐ 0
  • Jun 19, 2026, 2:01 AM

    @nixCraft amazing detective work. I wish I knew earlier as could have connected you with the right folks.

    💬 0🔄 0⭐ 1
  • Jun 19, 2026, 4:08 AM

    @nixCraft they delete their commit with the readme zip file link, and then push it again? that it looks recent or why?

    💬 1🔄 0⭐ 0
  • Jun 20, 2026, 5:03 PM

    @utf_7 Yes. To appear at the top of the search results when someone enters the repository name in the GitHub search bar.

    💬 0🔄 0⭐ 0
  • 💬 0🔄 0⭐ 0
  • Jun 19, 2026, 7:15 AM

    @nixCraft Quite frequently I get a phishing email which uses a github page as a starting point. All these repos have exactly one index.html with only JS code inside. The code is identical - it checks your IP and redirects you to Google or the next web page outside github. I always report them and it takes them weeks to remove them. I bet it would be easy to automatically scan and remove them but...

    💬 0🔄 0⭐ 1
  • 💬 0🔄 0⭐ 1
  • Jun 19, 2026, 8:55 PM

    @nixCraft Thanks for posting the link to my blog. But it's funny that people in the comments think it's your article =)

    💬 0🔄 0⭐ 0