There is an ongoing surge of malicious repositories on GitHub, and the sad thing about it is that GitHub seems not to care much.
About 10 days ago, I searched for a repo on DuckDuckGo and stumbled upon a fake GitHub repo. It mimics a legitimate repository, but instead of providing usual releases, it only provides malicious Windows binaries. Linux/MacOS binaries are not available, and the information on how to build the project was removed from the README file.
The description was also altered using LLMs, removing a lot of technical details.
I reported this repository to GitHub, explaining the problem and showing the report from VirusTotal. To this day, the repository is still there, and the binaries are still available for download.
The repo has been active for two months. The README gets constantly updated every hour so that it will appear in the GitHub search higher.
Today, I saw another case of this on X, and this got me thinking about checking GitHub for more of these repositories.
I was able to find more than 100 of such repositories, some of them are completely generated by LLMs to get the traffic from search engines and GitHub, while others mimic popular repositories.
Notably, some repositories are MacOS/Linux specific (e.g. homebrew), but they still only provide Windows binaries.
This suggests that the whole campaign may be either automated or took very little effort.
Here is a simple dork for GitHub search:
path:README.md /software-v.*.zip/
Malicious links usually follow a recognizable pattern:
Software-v1.9-beta.2.zip
Software-v1.7.zip
Software-v1.9-alpha.3.zip
Some of the users seems to be registered long time ago, so I guess there is account hijacking going on.
Don't be fooled, always check the repository that you are downloading.
The good thing is that browsers already refuse to download the majority of these malicious files, because they are flagged by antivirus software.
If you have any questions, feel free to ask them via e-mail displayed in the footer.
All articles on this website are written by a human without LLM assistance.