1
Can someone at GitHub wake the hell up already and stop serving malware?
Here’s an obvious one: https://github.com/ojas1103/CircleProgressKit
And others: https://github.com/AkashiKensei/Zenix-Account-Creator
https://github.com/MinhDuong2571/DNSrce
https://github.com/xcwv667/eth-input-call-data-builder
https://github.com/ForgedRice/deepseek-api-client
https://github.com/Losnunes/SHOOTER
https://github.com/Alexbochechudo/encode-reactjs-intermediate-2024
https://github.com/Dawsandos/monster-energy-theme/releases
https://github.com/popopopopopopopopopopopopopopo/TuneText
https://github.com/Cynicave/Crunchyroll-Account-Checker
This isn’t just one or two cases; it looks like a massive campaign. The repos often copy a real project’s README and structure, though reworded through an LLM, but contain malicious code distributed through releases or sometimes attachments. Here’s one example: https://github.com/ojas1103/CircleProgressKit
Take care not to actually download this unless you know what you’re doing. This is malware.
Some of these have a high number of stars on occasion, though they are sometimes difficult to find because the Threat Actor appears to be constantly force pushing code to force GitHub to re-index it, so they have to be discovered through external indexes.
The malware seems to predominantly contain Redline infostealers. It appears that they may even include some of the recent more advanced 2FA credential stealers.
The worst part? These aren’t getting taken down despite multiple reports. GitHub appears to be a black hole. If someone downloads a spoofed repo thinking it’s safe, they could be running malware. I don’t know how many people have been affected, but it seems to be escalating.
At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?