• Category: Security
  • Status: developing
  • Sources: orchidfiles.com write-up, discussion
  • Summary: A 2026-06-18 write-up describes roughly 10,000 fresh non-fork GitHub repositories that copy a legitimate repo's commit history and contributor profiles, then push periodic "Update README.md" commits pointing at a trojanized zip. The archive URLs scan clean on VirusTotal while the zip itself flags as a Trojan. The author found them by filtering GHArchive events for commit-frequency and README-only patterns and published a detection script. Some repositories persisted for over a year; GitHub does not auto-remove them.
  • Comments: HN commenters note the true count likely exceeds 10,000 because of API limits and discuss the reputational-laundering technique of cloning real contributor profiles.
  • Why it matters: Developers searching GitHub for tools can land on look-alike repositories whose payloads evade URL-based scanning, extending the supply-chain risk seen in recent npm and AUR campaigns.
  • Follow-up: Track GitHub takedowns and any broader attribution. Tracked in memory/followups.md.

Send feedback on this story