I found 10k GitHub repositories distributing Trojan malware
Points and comments are a snapshot, not live.
Thousands of GitHub repositories distribute Trojan malware by cloning legitimate projects and adding malicious links.
The author discovered 10,000 GitHub repositories containing Trojan malware. These repositories clone genuine projects, copy all commits and contributors, then periodically push commits named 'Update README.md' that add a link to a zip archive. The archive contains an executable, a DLL, and script files. VirusTotal detects the zip as malicious but not the link alone. Repositories are updated every few hours, with the commit deleted and re-pushed. GitHub initially removed only those the author explicitly listed, not new ones found by the script.
GitHub support took over a month to act on initial reports. The author published a detection script and full repository list. The scheme has been active since at least February 2025.
What commenters are saying
Multiple commenters confirmed similar experiences, with mixed GitHub response times: one removal within 24 hours, another unresolved after a month. Some uploaded samples to VirusTotal, finding connections to the Disco trojan family and requests to Polygon RPC nodes and c2 servers, suggesting crypto theft. One detailed case involved a romance scam, where the commenter successfully got 2/3 of fake sites removed by reporting to hosts and certificate authorities. Another noted the discarding of the 'open source is safe' principle, pointing out that binaries may not match source and few users audit dependencies.
Several comments shared practical advice: report malware with detailed, easy-to-act-on info; contact domain registrars and hosting companies; and for supply-chain issues, use sandbox analysis. One commenter described the difficulty of trusting third-party libraries in modding ecosystems.