GitHub is being overrun with repositories impersonating legitimate open-source projects to spread malware. One of them is spoofing my own app. I reported it through GitHub’s official channels days ago, reached out on social media, and even contacted individual GitHub employees. No response.<p>This isn’t just one or two cases; it looks like a massive campaign. The repos often copy a real project’s README and structure, though reworded through an LLM, but contain malicious code distributed through releases or sometimes attachments. Here’s one example: https://github.com/ojas1103/CircleProgressKit<p>Take care not to actually download this unless you know what you’re doing. This is malware.<p>Some of these have a high number of stars on occasion, though they are sometimes difficult to find because the Threat Actor appears to be constantly force pushing code to force GitHub to re-index it, so they have to be discovered through external indexes.<p>The malware seems to predominantly contain Redline infostealers. It appears that they may even include some of the recent more advanced 2FA credential stealers.<p>The worst part? These aren’t getting taken down despite multiple reports. GitHub appears to be a black hole. If someone downloads a spoofed repo thinking it’s safe, they could be running malware. I don’t know how many people have been affected, but it seems to be escalating.<p>At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?
My suggestion (which I think I shared here for someone that was facing the same problem) is to go the way of bigger open source projects. Create a web site and add a link to the repo for the project. That's how I search for official repos. Either mention from reputable sources, or the project's web page. Not that it's more trustful, but a bit harder to spoof than just create a new repo on GitHub.
I reported some issue spam in August last year and recently got an email from GitHub that they're looking at it.<p>So your report might get looked at in half a year. Less if they have working filters to prioritize reported malware.
> At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?<p>Not read any thriller / conspiracy novels? :-) The way is to do exactly what you're doing here: take the news public. Very public. The more the merrier. Post to HN, LinkedIn, Facebook, Slashdot, Twitter, TikTok, Reddit, etc. Send email to every news/media outlet you can find contact info for. @mention people who work for CNN, MSNBC, ABC News, Fox News, CBS News, Reuters, Associated Press, etc. on Twitter, or find them on LinkedIn and message them. Write up a press release and submit using PRNewsWire and such-like. Record a video and post on Youtube. Contact the Attorneys General for all 50 US states. And so on.