Hackers Compromise 10,000 GitHub Repositories With Malicious Script

Key Takeaways

• A widespread malware operation has infected over 10,000 GitHub repositories, distributing Trojan-laced archives.
• Attackers are cloning legitimate projects, injecting malicious links into README files, and using sophisticated evasion techniques to bypass detection.
• The campaign leverages GitHub’s trust model and search engine visibility to ensnare unsuspecting developers.
• Despite reporting, remediation efforts by GitHub have been inconsistent, indicating a reactive approach.

Extensive Malware Campaign Infiltrates 10,000 GitHub Repositories

A sophisticated malware campaign has been uncovered, compromising more than 10,000 GitHub repositories by injecting malicious scripts and Trojan-laced archives. This large-scale operation exploits GitHub’s inherent trust model and highlights significant gaps in automated threat detection mechanisms, according to a recent investigation.

The discovery began when a researcher identified a suspicious clone of their own legitimate repository appearing in search engine results. While the project’s name, description, and complete commit history were identical to the original, a newly added commit introduced a nefarious link within the README file, directing users to a downloadable ZIP archive.

Subsequent observations revealed this identical malicious behavior across numerous other repositories, featuring different names and contributors, yet lacking direct fork relationships. This pattern strongly suggests a coordinated attack rather than isolated incidents by individual actors.

Attackers Mimic Legitimate Activity to Evade Detection

Detailed analysis exposed a consistent modus operandi across the compromised repositories. Threat actors meticulously replicated legitimate projects, including their full commit histories and contributor profiles, an apparent tactic to build credibility and deceive users. They then periodically altered the README file to embed links to external ZIP archives. These malicious commits were frequently overwritten and re-pushed every few hours, often labeled with generic messages like “Update README.md.” This technique likely serves to evade automated detection systems and maintain visibility within search engine indexing.

The external ZIP archives contained a small collection of files, including command scripts, executable loaders, and dynamic link libraries. While initial scans of individual file links on VirusTotal often yielded no detections, a comprehensive scan of the complete archive consistently identified Trojan malware. This suggests attackers are employing advanced evasion techniques, potentially involving payload splitting or obfuscation, to bypass standard automated scanning tools.

Scope of the Campaign Uncovered Through Scripted Analysis

To ascertain the full scale of the campaign, the researcher developed a custom script leveraging GitHub event data from GH Archive. Rather than attempting an impractical scan of all repositories, which would quickly hit API rate limits, the script focused on repositories exhibiting frequent commit activity. Over a five-day period, approximately 16 million commit events were analyzed, revealing around 3,000 repositories with suspicious update patterns.

After refining filters to exclude bot activity, enforce contributor diversity, and detect anomalous commit timings, the script ultimately identified roughly 10,000 repositories that matched the malicious pattern. According to Orchid in a report shared with Cybersecurity News, many of these compromised repositories had remained undetected for months or even years. Researchers also noted that some repositories were updated infrequently, challenging the initial assumption that rapid commit activity was a definitive indicator of malicious intent. Additional red flags included commits with no actual file changes and consistent naming conventions, further pointing to automated deployment methods.

Exploiting Trust and Inconsistent Remediation

The campaign appears strategically designed to exploit GitHub’s prominent visibility in search engines and its integration into developer workflows. By cloning newly created or low-traffic repositories, attackers increase the likelihood of their malicious versions appearing in search results for niche queries. Preserving legitimate commit history and contributor metadata further lends an air of legitimacy, making users more likely to trust and download the malicious files.

Despite reporting efforts by the researcher, remediation has been inconsistent. While GitHub removed repositories explicitly flagged, newly identified malicious instances often remained active, indicating a reactive rather than proactive enforcement strategy. Public reports and earlier research suggest that this specific tactic has been in use since at least early 2025, with similar campaigns distributing malware families such as SmartLoader and StealC.

These findings underscore a significant challenge for code hosting platforms: effectively detecting malicious behavior that closely mimics legitimate development activity. Without scalable analysis of repository content, commit patterns, and external links, such campaigns can persist and proliferate undetected. For developers, this incident serves as a critical reminder of the importance of verifying external downloads, even when they appear to originate from seemingly credible repositories.

What You Should Do

• Verify Repository Authenticity: Always double-check the URL and ownership of a repository before cloning or downloading. Look for official links from project documentation.
• Inspect README Files Critically: Be suspicious of new, sudden, or unusual links in README files, especially those pointing to external ZIP or executable downloads.
• Scan All Downloads: Use reputable antivirus and anti-malware solutions to scan any archives or executables downloaded from GitHub, regardless of the perceived legitimacy of the source.
• Monitor for Anomalous Activity: If you are a repository owner, regularly review your commit history and contributor logs for any unauthorized or suspicious changes.
• Report Suspicious Repositories: If you encounter a repository exhibiting these malicious patterns, report it to GitHub immediately to aid in platform-wide security efforts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.