GitHub flooded with malware repos spoofing real projects–no response from GitHub

[joshdotsmith]

GitHub is being overrun with repositories impersonating legitimate open-source projects to spread malware. One of them is spoofing my own app. I reported it through GitHub’s official channels days ago, reached out on social media, and even contacted individual GitHub employees. No response.

This isn’t just one or two cases; it looks like a massive campaign. The repos often copy a real project’s README and structure, though reworded through an LLM, but contain malicious code distributed through releases or sometimes attachments. Here’s one example: https://github.com/ojas1103/CircleProgressKit

Take care not to actually download this unless you know what you’re doing. This is malware.

Some of these have a high number of stars on occasion, though they are sometimes difficult to find because the Threat Actor appears to be constantly force pushing code to force GitHub to re-index it, so they have to be discovered through external indexes.

The malware seems to predominantly contain Redline infostealers. It appears that they may even include some of the recent more advanced 2FA credential stealers.

The worst part? These aren’t getting taken down despite multiple reports. GitHub appears to be a black hole. If someone downloads a spoofed repo thinking it’s safe, they could be running malware. I don’t know how many people have been affected, but it seems to be escalating.

At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?

[skydhash]

My suggestion (which I think I shared here for someone that was facing the same problem) is to go the way of bigger open source projects. Create a web site and add a link to the repo for the project. That's how I search for official repos. Either mention from reputable sources, or the project's web page. Not that it's more trustful, but a bit harder to spoof than just create a new repo on GitHub.

[yorwba]

I reported some issue spam in August last year and recently got an email from GitHub that they're looking at it.

So your report might get looked at in half a year. Less if they have working filters to prioritize reported malware.

[mindcrime]

> At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?

Not read any thriller / conspiracy novels? :-) The way is to do exactly what you're doing here: take the news public. Very public. The more the merrier. Post to HN, LinkedIn, Facebook, Slashdot, Twitter, TikTok, Reddit, etc. Send email to every news/media outlet you can find contact info for. @mention people who work for CNN, MSNBC, ABC News, Fox News, CBS News, Reuters, Associated Press, etc. on Twitter, or find them on LinkedIn and message them. Write up a press release and submit using PRNewsWire and such-like. Record a video and post on Youtube. Contact the Attorneys General for all 50 US states. And so on.

[joshdotsmith]

Thanks, I just find it wild that Microsoft appears wholly uninterested in policing what seems like a huge legal liability to their business. I’ll start reaching out to as many journalists as I can with what I’ve got. They seem a little overwhelmed from the two I’ve already reached out to.

Edited to add: I’ve also been hoping that I could avoid giving the attackers too much of a heads up, but at this point the risk is higher that nothing gets done about it at all.