I found 10k GitHub repositories distributing Trojan malware
5 hours ago
- #Cybersecurity
- #GitHub Security
- #Malware Distribution
- Researcher found 10,000 GitHub repositories distributing Trojan malware by analyzing patterns in repository behavior.
- Malicious repositories copy commits from legitimate projects, add a link to a zip archive in the readme, and update frequently to avoid detection.
- The zip archives contain disguised Trojans that evade initial VirusTotal scans but are detected when the zip file itself is submitted.
- A script (Git Malware Finder) was developed to identify such repositories based on patterns like frequent commits updating only the readme.
- GitHub's security algorithms currently fail to automatically detect and remove these repositories, some of which have been active for over a year.
- Hackers likely clone new repositories to exploit search engine indexing and build trust by preserving commit histories and contributor lists.
- Open questions remain about the scale of the campaign, the purpose of the executable files, and GitHub's lack of proactive detection.