Top stories
Researcher catalogs about 10,000 GitHub repositories distributing Trojan archives
- Category: Security
- Status: developing
- Sources: orchidfiles.com write-up, discussion
- Summary: A 2026-06-18 write-up describes roughly 10,000 fresh non-fork GitHub repositories that copy a legitimate repo's commit history and contributor profiles, then push periodic "Update README.md" commits pointing at a trojanized zip. The archive URLs scan clean on VirusTotal while the zip itself flags as a Trojan. The author found them by filtering GHArchive events for commit-frequency and README-only patterns and published a detection script. Some repositories persisted for over a year; GitHub does not auto-remove them.
- Comments: HN commenters note the true count likely exceeds 10,000 because of API limits and discuss the reputational-laundering technique of cloning real contributor profiles.
- Why it matters: Developers searching GitHub for tools can land on look-alike repositories whose payloads evade URL-based scanning, extending the supply-chain risk seen in recent npm and AUR campaigns.
- Follow-up: Track GitHub takedowns and any broader attribution. Tracked in
memory/followups.md.