I found 10k GitHub repositories distributing Trojan malware

Original Article ↗ Hacker News Discussion ↗

Nature of the Malware Campaign

  • Repositories host seemingly useful projects but distribute malware via linked ZIP archives or replaced binaries in “releases.”
  • Samples show network activity to IP info services, Polygon RPC nodes, and a C2 server, suggesting crypto theft.
  • One analyzed sample matches the “disco” trojan family; most payloads are Windows-focused.
  • Attackers frequently delete and re-push commits to stay at the top of “recently updated” and search results.

GitHub’s Role and Response

  • Mixed experiences reporting: some repos removed within 24 hours; others linger for months or years (including obvious piracy).
  • Commenters argue GitHub is not a curated repository, more like a file host or forum with links.
  • Several feel GitHub/Microsoft underuse their resources (including AI) for proactive malware detection, likely due to business tradeoffs and false-positive risks.

Limits of “Open Source Is Safe”

  • Strong debate over the common belief that open source is “safer” because it’s auditable.
  • Many note that:
    • Few people actually read code or verify that binaries match sources.
    • Stars, popularity, and “many eyes” create a false sense of security and are easily gamed.
  • Others push back that open source was never guaranteed clean, only more auditable; xz backdoor cited as a counterexample to naïve trust.

Detection, Scanning, and Tooling

  • VirusTotal sometimes flags the malware only when the ZIP is uploaded directly, not when given just a link.
  • Calls for GitHub-wide release/binary scanning and basic heuristics (new accounts, synchronized stargazers, cloned malware trees).
  • Existing tools mentioned: Socket, Aikido, Step-Security, Wiz, Semgrep-style scanning; some want better pre-download GitHub scanners.

Search Engines and Phishing

  • Search results (especially non-Google) often surface phishing or malicious GitHub forks above legitimate repos.
  • Some users report phishing pages for banks and GitHub projects ranking highly; others say this happens on multiple major search engines.

Account Security and Password Practices

  • A high-profile case of malware from a GitHub plugin compromising a password manager drives debate over:
    • Storing TOTP/MFA in the same vault as passwords.
    • Using hardware keys (e.g., YubiKey), separate devices, or multiple vaults.
  • Several argue password managers assume an uncompromised device; once malware runs locally, many defenses fail.

Social Engineering and Fake Technical Tests

  • Descriptions of recruitment scams: “dream job” offers, then a “technical test” repo that actually deploys malware.
  • Some developers now run all such tests only in disposable VMs and monitor outbound connections.

Broader Concerns About Ecosystem Quality

  • Perception that GitHub is drifting toward “SourceForge 2.0”: spam, malware, SEO-gamed stars, and weak enforcement.
  • Some see this as a long-standing open ecosystem reality; others blame large corporate ownership and growth incentives.