Approximately 10,000 Trojan-Horse Repositories Found on GitHub
The attack exploits user trust in cloned project histories and search-engine visibility, and the scale-10,000 repos-suggests a coordinated campaign that GitHub is only beginning to address.
Reporting from 1 sources: GIGAZINE.
Developer Orchid reported finding roughly 10,000 GitHub repositories distributing Trojan horses by cloning legitimate projects. The cloned repos retain original commit history and contributor info but add a malicious ZIP download link in the README. GitHub has begun removing the repositories, but the actual scale may be larger.
Developer Orchid discovered the problem while searching for his own project. Bing showed a different user's repository with the same name and description, while Google displayed the legitimate one. The cloned version kept the original commit history and contributor information, but the README contained a link to a ZIP file. When Orchid checked just the link with VirusTotal, no threat was detected, but scanning the ZIP file itself revealed a Trojan horse.
To find similar repositories, Orchid used GH Archive, which records GitHub operations. He narrowed down repos modified at a certain frequency from about 16 million commit push events over five days. Malicious repos shared common features: a ZIP link in the README, cloned update history, and a latest commit message of "Update README.md." After adjusting conditions, roughly 10,000 of about 40,000 candidates matched.
Similar attacks were reported in April 2026 by security company Hexastrike, which found 109 fake repositories operated by 103 accounts. Those ZIP files executed malware that loaded other programs, followed by information-stealing malware such as StealC. Orchid speculated that attackers clone relatively new projects because fewer searches make it easier to push fake repos to the top of search results. GitHub has begun removing the repositories, but Orchid noted the search conditions only examined a portion of GitHub, so the actual scale may be larger.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.