Attackers are creating malicious GitHub repositories that mimic legitimate projects, often using LLMs to generate or alter content, and distribute malware via Windows binaries. These repositories manipulate search rankings through frequent updates and use predictable naming patterns for malicious downloads. Security professionals should manually verify repositories before downloading and rely on browser security warnings for flagged files.
There is an ongoing surge of malicious repositories on GitHub, and the sad thing about it is that GitHub seems not to care much. About 10 days ago, I searched for a repo on DuckDuckGo and stumbled upon a fake GitHub repo. It mimics a legitimate repository, but instead of providing usual releases, it only provides Windows binaries. Linux binaries are not available, and the information on how to build the project was removed from the README file. The description was also altered using LLMs, removing a lot of technical details. I reported this repository to GitHub, explaining the problem and showing the report from VirusTotal. To this day, the repository is still there, and the binaries are still available for download. The repo has been active for two months. The README gets constantly updated every hour so that it will appear in the GitHub search is higher. Today, I saw another case of this on X , and this got me thinking about checking GitHub for more of these repositories. I was able to find more than 100 of such repositories, some of them are completely generated by LLMs to get the traffic from search engines and GitHub, while others mimic popular repositories. Here is a simple dork for GitHub search: path : README . md /software-v.*.zip/ Malicious links usually follow a recognizable pattern: Software-v1.9-beta.2.zip Software-v1.7.zip Software-v1.9-alpha.3.zip Some of the users seems to be registered long time ago, so I guess there is account hijacking going on. Don't be fooled, always check the repository that you are downloading. The good thing is that browsers already refuse to download the majority of these malicious files, because they are flagged by antivirus software. If you have any questions, feel free to ask them via e-mail displayed in the footer. All articles on this website are written by a human without LLM assistance. Recent posts in Security category March 15, 2026 The rise of malicious repositories on GitHub August 25, 2025 Tracking malicious code execution in Python June 23, 2025 Threat Hunting Introduction: Cobalt Strike May 04, 2022 Shady economics of proxy services November 28, 2019 Public SSH keys can leak your private infrastructure security security Share Linkedin Telegram Reddit Hacker News Twitter (X) RSS Comments There are no comments for this post. Be the first to share your thoughts. Leave a comment Name Message Post Comment