A large-scale malware campaign has been uncovered on GitHub after a researcher identified more than 10,000 repositories distributing Trojan-laced archives, raising concerns about abuse of the platform’s trust model and limitations in automated detection.

The investigation began when the researcher noticed a cloned version of their own repository appearing in search engine results.

While the project name, description, and commit history appeared identical, a newly added commit introduced a malicious link in the README file pointing to a downloadable ZIP archive.

Similar behavior was later observed across multiple repositories with different names and contributors, with no direct fork relationships, suggesting a coordinated campaign rather than isolated incidents.

Closer analysis revealed a consistent pattern across these repositories. Attackers replicated legitimate repositories, including full commit histories and contributor profiles, likely to establish credibility.

GitHub Malware Campaign Impacts

They then periodically modified the README file to include links to external ZIP archives. These commits were often overwritten and re-pushed every few hours, typically labeled “Update README.md,” a tactic that may help evade detection mechanisms or maintain visibility in indexing systems.

The linked ZIP archives contained a small set of files, including command scripts, executable loaders, and dynamic libraries.

While individual file links often returned no detections on VirusTotal, downloading and scanning the full archive revealed Trojan malware.

This indicates the attackers may be using evasion techniques that rely on splitting or obfuscating payload components to bypass automated scanning tools.

To identify the scale of the campaign, the researcher developed a script using GitHub event data from GH Archive.

Instead of scanning all repositories, which would be impractical due to API rate limits, the script focused on repositories with frequent commit activity.

Out of approximately 16 million commit events analyzed over five days, around 3,000 repositories showed suspicious update patterns.

After refining filters to exclude bots, enforcing contributor diversity, and detecting anomalous commit timing, the script ultimately identified roughly 10,000 repositories that matched the malicious pattern.

According to Orchid in a report shared with Cybersecurity News, many of the compromised repositories had remained undetected for months or even years.

Researchers also found that several repositories were updated only infrequently, challenging the assumption that rapid commit activity is a defining trait of malicious repositories.

Additional indicators included commits with no actual file changes and consistent naming conventions, further highlighting automated deployment methods.

The campaign appears designed to exploit GitHub’s visibility in search engines and developer workflows. By cloning newly created or low-traffic repositories, attackers increase the likelihood of appearing in search results for niche queries.

Preserving commit history and contributor metadata adds legitimacy, making it more likely that users will trust and download the malicious files.

Despite reporting efforts, remediation has been inconsistent. GitHub removed repositories explicitly listed by the researcher. However, newly identified ones remained active, suggesting a reactive rather than proactive enforcement approach.

Public reports and earlier research indicate this tactic has been in use since at least early 2025, with similar campaigns distributing malware families such as SmartLoader and StealC.

The findings highlight a broader challenge for code hosting platforms: detecting malicious behavior that mimics legitimate development activity.

Without scalable analysis of repository content, commit patterns, and external links, such campaigns can persist undetected.

For developers, the incident underscores the importance of verifying external downloads, even when sourced from seemingly legitimate repositories.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.