June 18, 2026
Repo-geddon on GitHub
I found 10k GitHub repositories distributing Trojan malware
GitHub’s copycat scam wave had commenters spooked, furious, and making dark jokes
TLDR: A developer says thousands of fake GitHub project pages were quietly pushing malware through innocent-looking download links. Commenters were alarmed, swapped their own scam stories, and joked that the creeps might stop updating now that they’ve been exposed.
A developer says they uncovered 10,000 GitHub pages spreading Trojan malware, and the community reaction was basically a mix of "this is terrifying," "of course support took forever," and "wow, we’re all living in a spam bazaar now." The original discovery started almost accidentally: the author found clones of real projects showing up in search results, with one sneaky change — a fresh link in the readme pushing people toward a zip file that looked harmless until tested properly. That detail alone sent commenters into full detective mode.
The strongest reactions came from people digging into what the malicious files might actually do. One commenter said the sample appeared to contact sites that check your internet address, a crypto-related service, and a suspicious server — which led to the hottest theory in the thread: this may be aimed at stealing cryptocurrency wallets. Others piled on with their own horror stories, saying they’d seen similar scams where small useful apps were copied, then weaponized and boosted in search rankings. The mood was grimly familiar: scammers are shameless, platforms are slow, and users are left playing cleanup.
But the thread also had that classic internet gallows humor. One person joked it would be "very spooky" if the fake repos suddenly stopped updating because the scammers read the post. Another commenter captured the helplessness perfectly: finding a well-built scam, digging deep, and then realizing you still don’t know who to call. It’s part cybercrime thriller, part customer-support tragedy, and the comments are the real scream track.
Key Points
- •The author found GitHub repositories that copied legitimate projects’ names, descriptions, and commit histories, then added README links to ZIP archives.
- •The suspicious repositories reportedly followed a repeating pattern in which the latest commit was deleted and re-pushed every few hours with only a README change.
- •The author reported the repositories to GitHub support and says GitHub removed them about a month later.
- •The article says the ZIP archives contained four files, including a script, an executable, another file with a random name, and `lua51.dll`.
- •The author proposed identifying more such repositories by scripting searches around a shared pattern: README-only updates, ZIP links, copied commits, new non-fork repositories, and varying names and contributors.