A large scale malware distribution campaign targeting GitHub users has been uncovered, exposing a sophisticated operation that leveraged more than 10,000 compromised repositories to spread Trojanized payloads. The activity was first detected on June 18, 2026, after a researcher from OrchidFiles discovered a cloned version of their own GitHub repository appearing in search engine results. Although the cloned repository mirrored the original project’s metadata, commit history, and contributor information, it contained a newly added external link within the README file directing visitors to a ZIP archive. Further investigation revealed that the repository was part of a much broader operation involving thousands of similarly structured projects designed to appear legitimate while distributing malicious content.
The campaign demonstrated a high degree of automation and deception. Rather than relying on standard GitHub forks, threat actors created independent clones that replicated commit histories and contributor attribution to strengthen credibility and reduce suspicion among users. Researchers observed a recurring pattern in which attackers repeatedly deleted previous commits and re uploaded identical commits every few hours while making minor modifications to README files. These updates consistently introduced links to ZIP archives containing malware payloads. Commit messages across the repositories followed generic formats such as “Update README.md,” suggesting that the process was automated and centrally managed. Analysis of the linked ZIP archives showed a nearly identical structure across multiple repositories. Most archives contained four files, including a command script such as Application.cmd, a loader executable commonly named loader.exe or luajit.exe, a secondary file with a randomly generated name, and a lua51.dll library. Investigators also discovered an apparent attempt to bypass security monitoring. Direct URL submissions to security services such as VirusTotal produced no detections, while manually uploading the ZIP files triggered Trojan related alerts, indicating that the attackers were exploiting limitations in URL based scanning mechanisms.
To determine the scale of the operation, the researcher developed a custom detection method using GitHub event information collected through GH Archive. Given the enormous size of GitHub, which is estimated to host more than 500 million repositories, scanning every repository was not practical. Instead, the analysis focused on recent activity and repositories displaying unusually frequent commit patterns. An initial review of approximately 16 million commit events collected over a five day period narrowed the scope to roughly 3,000 repositories exhibiting periodic updates. Additional filtering introduced stricter indicators, including repositories showing non bot commit activity, unusual timing intervals between updates, and participation from multiple contributors. While early versions of the detection model identified only a limited number of repositories, refining the criteria to account for less frequent update schedules significantly expanded visibility into the campaign. The final assessment uncovered around 40,000 suspicious repositories, with exactly 10,000 matching the malware distribution pattern associated with the operation.
The findings have raised concerns about the ability of repository hosting platforms to identify and remove malicious infrastructure at scale. Many of the affected repositories had remained active for months without attracting attention, and removals appeared to occur primarily after researchers submitted reports. Follow up scans revealed newly created repositories employing the same tactics, suggesting that the operators were actively maintaining and replenishing their network. Researchers believe the campaign combines search engine optimization abuse with social engineering techniques to increase visibility and user engagement. By cloning newly created or lesser known repositories and applying relevant tags, attackers can improve search rankings and attract unsuspecting users. The use of authentic contributor histories further strengthens the appearance of legitimacy. Although the full capabilities of the malware have not yet been determined, similar methods have previously been associated with malware loaders such as SmartLoader and information stealing threats including StealC. These links suggest the campaign may be aimed at credential theft, unauthorized access, and broader system compromise. Security professionals are advising users to exercise caution when encountering external download links in repository README files, particularly when such links have been introduced through recent modifications, and to independently verify downloaded files before execution.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
