Ban them, demand GitHub et al take down the illegal repos, hit up Microsoft for records of everyone who ever downloaded them, hosting providers for customer records, and ISPs for lists of customers with VPN-shaped traffic between themselves and their hosting provider. Or if they’re lazy, just demand that the hosting providers sort it out.
This assumes US citizens using exclusively US based VPNs. You'd have to block all outside internet access as well, or you cannot stop someone in the US using a VPN based in another country (short of IP whackamole).
To an extent, but the US often compels foreign companies to either not deal with US customers or put up with US’s bullshit, so they could potentially get compliance from major overseas providers. More onerous domestic policy could also prevent it, like requiring that domestic network providers block unauthorized encrypted connections to foreign entities. And anyways, making something illegal doesn’t actually require making it physically impossible to do.
