GitHub is flooded with fake repositories that masquerade as legitimate developer projects and distribute trojans via links to ZIP archives.

A large-scale malicious campaign was discovered by a developer using the pseudonym Orchid. He found about 10,000 repositories on GitHub that looked like independent projects from different authors but operated on the same scheme. The attackers copied other people's new repositories, preserved the commit history and list of contributors, and then changed the README file, adding a link to an archive with malicious content.

Orchid noticed the problem after his own project was copied. In Google, the original repository appeared correctly, while in Bing, a foreign repository with the same name and description appeared for the same query. Inside was a copy of the project, including the commit history, but the README had a link to a ZIP archive.

According to the developer, the fake repositories were not ordinary forks. They had different names, different owners, and different contributors. The common detail was that they repeatedly modified the README. In some cases, the attackers deleted the old commit and after a few hours added a new one with the same name "Update README.md". Earlier, reports about this scheme had already appeared online, and developers complained about the forgery of their projects. Orchid identified about 40,000 suspicious repositories, of which approximately 10,000 fully matched the required pattern.

The malicious scheme revolved around a ZIP archive. Typically, inside were a Windows batch file, an executable file like loader.exe or luajit.exe, a random file with .txt or .cso extension, and the lua51.dll library. When checked only by VirusTotal, the malicious code might not be detected, but the uploaded archive itself was already identified as a trojan.

Earlier, a similar campaign was described by the company HexaStrike. Its specialists found 109 fake repositories and linked the activity to the SmartLoader and StealC malicious chain. After running the batch file on the victim's computer, the LuaJIT interpreter with an obfuscated script was launched. Then the malware obtained the address of the command-and-control infrastructure through a smart contract on the Polygon network and downloaded the next stage of the attack.

As a result, StealC, which steals data, could end up on the infected device. Such a trojan can steal cryptocurrency wallets, passwords, banking data, browser files, email accounts, as well as data from Steam, Discord, Telegram, and other services.

The fake repositories looked convincing because they preserved the source code, commit history, and contributors of the original projects. According to Orchid, the attackers copied new repositories to quickly appear in search results for rare queries. Moreover, such projects could be found not only by humans but also by AI agents that search for dependencies or code examples and may automatically follow a malicious link.

The developer reported two fake copies of his projects to GitHub, but according to him, he had to wait almost two months for the repositories to be removed. After he published a script and a list of malicious repositories, GitHub began deleting the found projects, but Orchid claims that the platform only removed those repositories that were directly listed. After re-running the script, new findings appeared, which, according to the author, were not promptly removed.

Some fake repositories existed for months, and some could have remained accessible for over a year. Orchid believes that the 10,000 projects found may be only part of the campaign, since his search was limited by GitHub's API limit of 5,000 requests per hour. The platform itself has no such restrictions, so GitHub can check all repositories, find archives and executables, and then scan them for malicious code.

Who is behind the attack is still unknown. HexaStrike suggested that the campaign is run by a single attacker or a small group with centralized control. This is indicated by the identical README structure, synchronous repository updates, repeated techniques used to load malware, and shared infrastructure.