10,000 GitHub repos found distributing Trojan malware

A GitHub user discovered a large-scale malware distribution campaign after noticing cloned versions of their own repository appearing in search results with added links to suspicious zip archives. The malicious repositories exhibited a consistent pattern: they copied all commits from legitimate repositories, added links to zip files containing Trojan malware in readme files, and repeatedly deleted previous commits while pushing identical new ones every few hours. Each repository used different contributor names and project titles, preventing simple detection methods. The researcher submitted abuse reports to GitHub support, which took approximately six weeks to respond and remove the initial repositories identified. To scale detection, the researcher developed a script analyzing GitHub repositories for the common pattern: frequent readme-only commits containing archive links, copied commit histories, and new repositories from different contributors. The malware-containing zip files initially showed zero detections on VirusTotal when submitted as archives alone, but detected Trojans when the complete zip files were scanned. The files typically included loader executables (Application.cmd, Launcher.cmd) and support files (lua51.dll, random-named .cso files). With GitHub's API rate limit of 5,000 requests per hour per token, analyzing all 500 million repositories would require approximately one year using standard methods, prompting the researcher to develop more efficient detection strategies.