GitHub becomes a malware distribution platform at scale
A researcher documented a campaign of roughly 10,000 GitHub repositories forking small, legitimate codebases and embedding trojan malware in the archives. The malware phoned home via three network requests, and VirusTotal confirmed the infections. GitHub eventually removed the repositories, but only after months of back-and-forth with support, meaning the attack ran undetected for a long time.
This is not a one-off. It fits a pattern of supply chain attacks that exploit developer trust in open source. The vector here is clever: fork something real and small enough that nobody scrutinizes it, distribute it through GitHub's own infrastructure, and let organic search and copy-paste culture do the rest. The npm-scan project in the list is chasing the same threat on a different surface.
Commenters noted the irony that writing about this publicly may cause the attackers to go quiet temporarily, making the campaign harder to track. That detail captures the cat-and-mouse dynamic perfectly: defenders have to publish to warn people, which also warns attackers.
So what?
If you are pulling in small utility libraries from GitHub without pinning to a verified commit hash, you are exposed. Audit your dependency list for obscure forks of well-known tools. GitHub's response time here was months, so do not assume the platform will catch this before it hits your build pipeline.