Security
Researcher finds about 10,000 GitHub repositories distributing Trojan archives
- Category: Security
- Status: confirmed
- Sources: orchidfiles.com, discussion
- Summary: A researcher published a write-up on 2026-06-18 identifying about 10,000 GitHub repositories that distribute Trojan malware through README links to zip archives. Each repository is a fresh non-fork that copies a legitimate repository's commit history and contributor profiles to look credible, then every few hours deletes the previous commit and pushes a new "Update README.md" commit that changes only the README to point at a trojanized zip. Scanning the archive URL on VirusTotal returns nothing, while scanning the zip itself detects the Trojan. The author found the repositories by filtering GHArchive event data for the commit-frequency and README-only pattern, published the full list, and released a Git Malware Finder script. Some repositories have persisted for over a year, and GitHub does not auto-remove them. The author notes API limits mean the true count likely exceeds 10,000.
- Why it matters: Developers searching GitHub for tools or proof-of-concept code can land on credible-looking repositories whose only payload is a README link to malware, a low-effort distribution channel that evades URL-based scanning.
- Follow-up: Track GitHub takedowns of the listed repositories and whether the detection pattern is adopted.