OFFSITE.DARK
← Signals

Jun 18, 2026

4 min

Hacker News

  • malware
  • supply-chain
  • github

news

10k GitHub Repos Found Distributing Trojan Malware

Researcher identifies ~10,000 GitHub repos cloning legitimate projects and pushing trojanized README zip archives.

Summary

On June 18, 2026, security researcher coverage surfaced describing a large-scale GitHub malware distribution campaign affecting approximately 10,000 repositories. The operation clones legitimate open-source projects — preserving commit history, contributor graphs, and README structure — then injects periodic "Update README.md" commits containing download links to zip archives with trojanized payloads.

The campaign exploits a trust heuristic endemic in developer workflows: repository age and contributor count imply legitimacy. Attackers manufacture both synthetically before weaponizing the README delivery vector.

Campaign Mechanics

Repository Fabrication

  1. Fork or mirror a popular repository (Python utilities, crypto tools, game mods, dev tooling).
  2. Preserve history — full commit graph copied to avoid "single-commit sketchy repo" heuristics.
  3. Maintain appearance — intermittent benign commits, issue templates, plausible descriptions.
  4. Weaponize README — push commit updating README with "Download latest build" or "Windows installer" links to attacker-hosted zip files.

Payload Structure

Typical archive contents:

FileRole
Application.cmd / Launcher.cmdBatch launcher — often obfuscated with environment variable expansion
*.exe loaderStaged downloader or direct trojan
lua51.dllLegitimate DLL sideloading target or trojanized variant
README.txtSocial engineering instructions

Detection asymmetry: VirusTotal and URL scanners frequently return zero detections on the download URL (clean hosting, fresh domain) while extracted payloads trigger AV on disk. Developers who "check the link" before downloading get false confidence.

Distribution Amplification

  • Search engine indexing of GitHub README content surfaces trojanized repos in "how to install X" queries.
  • AI coding assistants and documentation scrapers may cite malicious README links into generated answers.
  • Package manager documentation occasionally links to GitHub README install sections.

Technical Analysis

Loader Behavior (Representative Sample)

  1. CMD launcher sets COMSPEC redirection and spawns hidden PowerShell or mshta.
  2. Loader downloads secondary stage from CDN or compromised WordPress site.
  3. Final payload categories observed: RMM tools (unattended access), cryptocurrency stealers, infostealers (browser creds, session tokens), and clipper malware.

Evasion Techniques

  • Time-delayed weaponization — repo exists cleanly for weeks before README update.
  • Geo-fenced payloads — secondary stage served only to non-sandbox IP ranges.
  • DLL sideloadinglua51.dll name matches expected dependency for Lua-embedded applications.

Indicators of Compromise

IndicatorDescription
README zip linksExternal zip hosting on README of repo with sudden "Update README.md" only commit
Processcmd.exepowershell.exe -WindowStyle Hidden from user Downloads
FilesApplication.cmd, Launcher.cmd in %TEMP% or %USERPROFILE%\Downloads
NetworkHTTPS to fresh domains (<30 days) from developer workstations

Impact

Open-source consumers: Developers, students, and hobbyists searching for tooling installers.

Enterprise: CI/CD pipelines that curl README-linked binaries during build scripts — supply-chain compromise without npm/PyPI involvement.

Security researchers: Honeypot and sandbox operators who clone suspicious repos without VM isolation.

Mitigation

  1. Never download binaries from README links — use official package registries, signed releases, or vendor sites.
  2. Verify publisher identity — compare repo owner to known maintainer org; check org membership and 2FA badge.
  3. GitHub search monitoring — alert on repos cloning your org's popular projects with external zip links in README.
  4. EDR rules — flag cmd.exe spawning hidden PowerShell from Downloads directory on dev workstations.
  5. Dependency pinning — builds should not fetch unsigned external binaries; use internal artifact mirrors.

Timeline

DateEvent
2026-06-17Researcher begins publishing repo list and sample analysis
2026-06-18Hacker News discussion drives visibility; GitHub mass-deletion begins
2026-06-18Author reports deletion incomplete — new repos continue appearing
2026-06-19Community IOC lists and search dork collections circulated

Sources

→ Source