GitHub holds billions of lines of code. Developers trust its search results daily. Yet for more than a year, thousands of fresh repositories have funneled unsuspecting users straight to Trojan-laden zip files.
One researcher uncovered the scale. In a detailed report, independent analyst orchidfiles documented roughly 10,000 repositories that followed an identical, suspicious pattern. All carried different names. None were forks. Each updated its README.md every few hours by deleting the prior commit and pushing an identical new one. The only change? A fresh link to a zip archive.
That archive almost always contained the same quartet of files: Application.cmd or Launcher.cmd, an executable named loader.exe, luajit.exe or something random, a .cso or .txt file, and lua51.dll. Submit the download link to VirusTotal and it reports clean. Upload the zip itself and a Trojan lights up. The tactic has persisted since at least early 2024.
Orchidfiles built a script to hunt them. It started with 14 exact matches. Relaxed filters surfaced 40,000 candidates updated once to 24 times per day. Narrowing further yielded the 10,000 that matched every behavioral marker. The full list sits in a public GitHub repository he published alongside his findings (orchidfiles.com/github-repositories-distributing-malware/).
Examples include github.com/lucasheriq4374/welink, github.com/lucioloprey/OcyShield-Framework, and github.com/luigi1973/AssetRipper-CLI. Each followed the overwrite cadence. Each existed primarily to rank high in low-volume searches. And each fed victims the same hidden payload.
But this isn’t an isolated scheme. Similar campaigns keep surfacing. In July 2025, Cisco Talos researchers Chris Neal and Craig Jackson detailed how malware-as-a-service operators created fake GitHub accounts to host Amadey botnet payloads, Lumma Stealer, RedLine Stealer, and Rhadamanthys. The accounts Legendary99999, DFfe9ewf, and Milidmdds served plugins and secondary tools while dodging web filters (The Hacker News).
Earlier this year, StepSecurity tracked the ForceMemo campaign. Attackers compromised hundreds of GitHub accounts and force-pushed identical malicious code into Python repositories. The injections, which began in March 2026, targeted setup.py, main.py, and app.py files in Django apps, machine-learning projects, and PyPI packages. Anyone who cloned and ran the code triggered the malware. The campaign remains active (StepSecurity).
Malwarebytes researchers found another vector in May 2026. Fake installers and plugins impersonating ChatGPT, Claude, AutoTune, and Kontakt distributed a Deno-based backdoor called DinDoor. The same backdoor appeared on SourceForge under different disguises. Malicious accounts created clusters of repositories packed with lures. One GitHub account hosted multiple fake tools at once (Malwarebytes).
ReversingLabs documented 67 copycat repositories in a 2025 campaign by a group they called Banana Squad. Each mimicked legitimate Python hacking tools. The goal was simple: catch developers who searched for known utilities and downloaded the malicious twin instead (Dark Reading).
So what drives the original 10,000-repo operation? Orchidfiles offers two explanations that fit the observed behavior. First, the attackers probe GitHub’s systems. Overwriting commits may bypass certain detection algorithms. Copying commit history from other repositories creates an appearance of legitimacy without the risk of forking popular projects that draw scrutiny.
Second, they chase distribution. New repositories surface at the top of search results for niche terms. They add trending tags. They appear in low-competition queries. Users land on them, see a plausible-sounding project name, click the README link, and download the zip. No fancy social engineering. Just search-engine optimization married to malware delivery.
The researcher noted that some repositories had operated for over a year. During a five-day observation window, the broader set generated 16 million commit pushes. GitHub began deleting many of the flagged repositories after his article appeared. He chose not to contact the company directly this time. The volume was simply too high. “If any of you have direct contact with GitHub’s security team, please send them a link to this article,” he wrote.
Earlier incidents hinted at the pattern. A February 2025 Reddit thread in r/github warned that new repositories were being spoofed to host malware. An April 2024 analysis by HexaStrike researchers found 109 repositories pushing SmartLoader and StealC using a nearly identical technique (HexaStrike).
Checkmarx and Apiiro had already flagged over 100,000 repositories in a malicious repo-confusion campaign by early 2024. The tactics evolve but the platform remains fertile ground. Attackers create believable histories, exploit search ranking, and iterate faster than automated defenses can respond.
GitHub faces real constraints. Its API rate limits hinder large-scale scanning. Deleting repos after the fact helps, yet new accounts and new repositories appear quickly. The company has improved its malware detection. It removes violating content when reported. Yet the steady drumbeat of fresh campaigns suggests the incentives still favor the attackers.
Developers bear part of the burden. Verify the repository age. Check commit history for sudden overwrites. Scan downloaded archives before execution. Prefer packages from established maintainers or signed releases. And treat search-result repositories with extra skepticism, especially those promising niche utilities with minimal documentation.
The operation orchidfiles exposed reveals more than one campaign. It exposes a reliable playbook. Create volume. Mimic legitimacy through history and metadata. Rank in search. Deliver the Trojan. Repeat. As long as developers download first and verify second, the cycle continues.
Recent supply-chain incidents, from poisoned VS Code extensions to backdoored GitHub Actions workflows, show the threat reaches deeper into development pipelines. CISA warned in May 2026 about compromises impacting Nx Console and internal GitHub repositories themselves. The Megalodon campaign injected malicious workflows to harvest credentials across thousands of public projects.
Security teams now monitor GitHub traffic alongside traditional threat feeds. Researchers share indicators faster. Yet the barrier to entry for these repository-based attacks remains low. A handful of accounts, a script to rotate commits, and a steady supply of zip files can generate millions of potential infections.
Orchidfiles published both his detection script and the complete list of 10,000 repositories. The script, available at github.com/orchidfiles/git-malware-finder, lets others hunt similar patterns. Whether it prompts broader platform changes or simply arms defenders remains to be seen. For now, the repositories keep appearing. The downloads keep happening. And the Trojans wait inside unassuming zip files at the top of search results.
WebProNews is an iEntry Publication