Approximately 10,000 repositories distributing Trojan horses were found on GitHub, mimicking legitimate projects to blend into search results.

Developer Orchid has reported that 'approximately 10,000 repositories have been found on GitHub, a platform for software developers, that are cloning legitimate projects and distributing Trojan horses.' Because each repository has a different name and owner, and GitHub does not treat them as 'forks' indicating copies, it is difficult to spot them as malicious copies at first glance.
I discovered a large-scale malware distribution on GitHub
Orchid first noticed the problem when he searched for his project name on a search engine. Google showed the legitimate repository, while Bing brought up a repository from another user with the same name and description in the search results. The duplicate had the original commit history and contributor information, but the README file had an added link to download a ZIP file.

GitHub allows users to view source code and update history, providing them with the information they need to determine if a repository is a legitimate source. In addition to the name and description of an existing project, displaying a long update history and multiple contributors increases the likelihood that users will assume it's a legitimate source and execute the file.
The problematic ZIP file contained startup files such as 'Application.cmd,' executable files, and libraries used to run Lua. Orchid explained that while a malware scan of only the link to the ZIP file using the malware scanning service VirusTotal did not detect any threats, a Trojan horse was found when the ZIP file itself was scanned.
To find similar repositories, Orchid used GH Archive, which publishes records of operations that have occurred on GitHub. Because GitHub has a vast number of repositories, checking each one individually would hit API usage limits. Therefore, he narrowed down the search to only repositories that had been modified with a certain frequency, based on the push events of approximately 16 million commits recorded in the last five days.
The fraudulent repositories shared several common characteristics: their README file contained a link to a ZIP file, they duplicated the update history of a legitimate repository, and the message of their latest commit was 'Update README.md'. After adjusting the search criteria, approximately 10,000 out of about 40,000 candidates matched these characteristics.

Similar attacks have been observed before. In April 2026, security firm Hexastrike reported discovering 109 fake repositories operating under 103 accounts. The analyzed ZIP files were designed to execute malware that loaded another program, followed by the delivery of information-stealing malware such as StealC. The attackers managed to replace the introductory text and download links while retaining the contents of legitimate projects.
Orchid speculates that attackers might duplicate relatively new projects because project names with low search volume are easier to rank higher in search results. He also points out that duplicating update history and contributor information could be aimed at gaining user trust or avoiding detection by GitHub. However, Orchid's explanation of the attackers' motives is speculation, and their actual objectives remain unknown.
Orchid adds that at the time of writing, GitHub had begun deleting repositories found by the script, and most had already been removed. However, Orchid states that the search criteria used only examined a portion of GitHub as a whole, and the actual scale of the attack may be larger than what was found in these findings.
Related Posts:
in Web Service, Security, Posted by log1d_ts







