Researcher finds 10,000 GitHub repositories cloning legitimate projects and adding ZIP links to spread Trojan malware

A researcher says they uncovered a large malware campaign involving roughly 10,000 GitHub repositories that copy legitimate projects, preserve commit history, and then add ZIP archive links to README files. The repos repeatedly refresh the malicious commit, and GitHub support allegedly took weeks to respond after the researcher reported the first examples.

The campaign shows how attackers can abuse GitHub’s trust signals, including contributor history and familiar project metadata, to make malware distribution look legitimate. It also highlights a moderation gap: large developer platforms may need faster detection of cloned repos, repeated README edits, and suspicious external download links.