The rise of malicious repositories on GitHub

There is an ongoing surge of malicious repositories on GitHub, and the sad thing about it is that GitHub seems not to care much.

About 10 days ago, I searched for a repo on DuckDuckGo and stumbled upon a fake GitHub repo. It mimics a legitimate repository, but instead of providing usual releases, it only provides Windows binaries. Linux binaries are not available, and the information on how to build the project was removed from the README file.

The description was also altered using LLMs, removing a lot of technical details.

I reported this repository to GitHub, explaining the problem and showing the report from VirusTotal. To this day, the repository is still there, and the binaries are still available for download.

The repo has been active for two months. The README gets constantly updated every hour so that it will appear in the GitHub search is higher.

Today, I saw another case of this on X, and this got me thinking about checking GitHub for more of these repositories.

I was able to find more than 100 of such repositories, some of them are completely generated by LLMs to get the traffic from search engines and GitHub, while others mimic popular repositories.

Here is a simple dork for GitHub search:

path:README.md /software-v.*.zip/

Malicious links usually follow a recognizable pattern:

Software-v1.9-beta.2.zip
Software-v1.7.zip
Software-v1.9-alpha.3.zip

Some of the users seems to be registered long time ago, so I guess there is account hijacking going on.

Don't be fooled, always check the repository that you are downloading.

The good thing is that browsers already refuse to download the majority of these malicious files, because they are flagged by antivirus software.