Hi Alexis,
For a week now, I’ve been trying and failing to get the attention of anyone on the GitHub Security team to pay attention to a massive botnet creating spoofed repositories that are serving malware to users.
The first one that came to my attention was a spoofed repo of my own repository. The spoofed version is here: https://github.com/sccopa/homefront
There are at least hundreds like this, some with numerous stars, all serving the same Redline infostealers, some including 2FA credential stealers.
Here’s a smattering of some others: https://github.com/AkashiKensei/Zenix-Account-Creator
https://github.com/MinhDuong2571/DNSrce
https://github.com/xcwv667/eth-input-call-data-builder
https://github.com/ForgedRice/deepseek-api-client (this one was removed thanks to reaching out to someone with a large enough following)
https://github.com/Losnunes/SHOOTER
https://github.com/Alexbochechudo/encode-reactjs-intermediate-2024
https://github.com/Dawsandos/monster-energy-theme/releases
https://github.com/popopopopopopopopopopopopopopo/TuneText
https://github.com/Cynicave/Crunchyroll-Account-Checker
I would really love it if someone at GitHub would start answering support requests, looking at social media, opening emails, or just generally paying attention so that your users (and mine) stop being on the receiving end of malware hosted by GitHub.
I can see that you have some automated filters based on number of reports that come into support. Of course, I only know this because I’ve started to personally reach out to users affected by this—GitHub users who have a large enough social media following to effectively order a quick takedown of a repository on demand. That’s definitely a start, I guess, but insufficient.
Did you know that people outside the organization can’t even send emails to members of your platform’s security team? I guess the intent of that is to ensure some sort of safety valve. Of course, you’re also not able, apparently, to get alerted to large scale bot nets serving malware. So pluses and minuses.
You might want to consider some sort of mechanism for automatically looking at files uploaded to GitHub. Plenty of the zip files being hosted on these spoofed repos are known to sites like VirusTotal to reference known IoCs. They’re clearly malware and they’re proliferating. And you’re the delivery mechanism! That seems like a minor legal liability that someone like the CISO might want to mitigate.
I’m literally exhausted trying to get you people to pay attention. Do something. Do it now. Do your job.
Thanks!