GitHub flooded with malware repos spoofing real projects–no response from GitHub

GitHub is being overrun with repositories impersonating legitimate open-source projects to spread malware. One of them is spoofing my own app. I reported it through GitHub’s official channels days ago, reached out on social media, and even contacted individual GitHub employees. No response.<p>This isn’t just one or two cases; it looks like a massive campaign. The repos often copy a real project’s README and structure, though reworded through an LLM, but contain malicious code distributed through releases or sometimes attachments. Here’s one example: https:&#x2F;&#x2F;github.com&#x2F;ojas1103&#x2F;CircleProgressKit<p>Take care not to actually download this unless you know what you’re doing. This is malware.<p>Some of these have a high number of stars on occasion, though they are sometimes difficult to find because the Threat Actor appears to be constantly force pushing code to force GitHub to re-index it, so they have to be discovered through external indexes.<p>The malware seems to predominantly contain Redline infostealers. It appears that they may even include some of the recent more advanced 2FA credential stealers.<p>The worst part? These aren’t getting taken down despite multiple reports. GitHub appears to be a black hole. If someone downloads a spoofed repo thinking it’s safe, they could be running malware. I don’t know how many people have been affected, but it seems to be escalating.<p>At this point, I’m out of ideas. Has anyone else dealt with this? How do we get GitHub to take this seriously?