Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A large-scale malware campaign has been uncovered on GitHub<\/a> after a researcher identified more than 10,000 repositories distributing Trojan-laced archives, raising concerns about abuse of the platform\u2019s trust model and limitations in automated detection.<\/p>\n The investigation began when the researcher noticed a cloned version of their own repository appearing in search engine results.<\/p>\n While the project name, description, and commit history appeared identical, a newly added commit introduced a malicious link<\/a> in the README file pointing to a downloadable ZIP archive.<\/p>\n Similar behavior was later observed across multiple repositories with different names and contributors, with no direct fork relationships, suggesting a coordinated campaign rather than isolated incidents.<\/p>\n Closer analysis revealed a consistent pattern across these repositories. Attackers replicated legitimate repositories, including full commit histories and contributor profiles, likely to establish credibility.<\/p>\n They then periodically modified the README file to include links to external ZIP archives. These commits were often overwritten and re-pushed every few hours, typically labeled \u201cUpdate README.md,\u201d a tactic that may help evade detection mechanisms or maintain visibility in indexing systems.<\/p>\n The linked ZIP archives contained a small set of files, including command scripts, executable loaders, and dynamic libraries.<\/p>\n While individual file links often returned no detections on VirusTotal, downloading and scanning the full archive revealed Trojan malware<\/a>.<\/p>\n This indicates the attackers may be using evasion techniques that rely on splitting or obfuscating payload components to bypass automated scanning tools.<\/p>\n To identify the scale of the campaign, the researcher developed a script using GitHub event data from GH Archive.<\/p>\n Instead of scanning all repositories, which would be impractical due to API rate limits, the script focused on repositories<\/a> with frequent commit activity.<\/p>\n Out of approximately 16 million commit events analyzed over five days, around 3,000 repositories showed suspicious update patterns.<\/p>\n After refining filters to exclude bots, enforcing contributor diversity, and detecting anomalous commit timing, the script ultimately identified roughly 10,000 repositories that matched the malicious pattern.<\/p>\n According to Orchid in a report shared with Cybersecurity News<\/a>, many of the compromised repositories had remained undetected for months or even years.<\/p>\n Researchers also found that several repositories were updated only infrequently, challenging the assumption that rapid commit activity is a defining trait of malicious repositories.<\/p>\n Additional indicators included commits with no actual file changes and consistent naming conventions, further highlighting automated deployment methods.<\/p>\n The campaign appears designed to exploit GitHub\u2019s visibility<\/a> in search engines and developer workflows. By cloning newly created or low-traffic repositories, attackers increase the likelihood of appearing in search results for niche queries.<\/p>\n Preserving commit history and contributor metadata adds legitimacy, making it more likely that users will trust and download the malicious files.<\/p>\n Despite reporting efforts, remediation has been inconsistent. GitHub removed repositories explicitly listed by the researcher. However, newly identified ones remained active, suggesting a reactive rather than proactive enforcement approach.<\/p>\n Public reports and earlier research indicate this tactic has been in use since at least early 2025, with similar campaigns distributing malware families such as SmartLoader and StealC.<\/p>\n The findings highlight a broader challenge for code hosting platforms: detecting malicious behavior that mimics legitimate development activity.<\/p>\n Without scalable analysis of repository content, commit patterns, and external links, such campaigns can persist undetected.<\/p>\n For developers, the incident underscores the importance of verifying external downloads, even when sourced from seemingly legitimate repositories.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nGitHub Malware Campaign Impacts<\/strong><\/h2>\n