10,000 malicious GitHub repos detected: AI agents compromising their owners

Published: 19 June 2026
Last updated: 51 seconds ago
github trojan
Image by Cybernews.

Developers on GitHub are finding their projects cloned by the thousands. Hackers slip trojans into fake repos and wait for a sleepy developer or a gullible AI agent to download one. So far, 10,000 repositories have been flagged, and GitHub is actively removing them.

Key takeaways:
  • 10,000+ malicious GitHub repositories discovered distributing malware.
  • Fake repositories contain crypto-stealing Trojans disguised as legitimate code.
  • Attackers are poisoning search results, likely to target AI agents.


ADVERTISEMENT

A solo developer going by the alias Orchid has uncovered a massive, likely automated, malicious campaign on GitHub that created thousands of fake repositories containing crypto-stealing Trojans.

The scheme is pretty simple: threat actors clone new repositories rather than popular, established ones, insert malware, and their fake repos often rank higher in search results than the originals.

Fake repos are also actively updated every few hours, likely to avoid detection – commits are deleted, and new ones are added.

“I found 10,000 repositories on GitHub that distribute Trojan malware. They are all from different contributors, have different names, and are not forks of other repositories. But they share a common pattern, which is what allowed me to write a script to find such repositories,” Orchid shared in a blog post.

Orchid also published a list of 9,330 malicious GitHub repositories detected by the script. GitHub has already removed most of them, but the attack appears to be ongoing, and many repos remain active.

The author believes they found only a small percentage of repositories because of GitHub’s API limit of 5,000 requests per hour.

malicious repo

The campaign became apparent after Orchid’s own project got cloned and indexed in the search results.

ADVERTISEMENT

“I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results, with the exact same name and description,” Orchid writes.

Some previous posts on Reddit and other blogs had identified this scheme earlier, with developers complaining that their projects were being spoofed.

On Hacker News, the issue became one of the most upvoted posts of the day, with many developers confirming they had experienced similar attacks.

“This is happening to me as well. I have a few moderately popular open source projects, and I have found my name attached to new projects that I have nothing to do with, or they are derivatives of my projects with redirection to unknown sites,” posted one of the developers.

Some tech pros suspect that cloned repositories target AI agents rather than humans – searching for niche code leads to cloned repositories, and agents are more likely to pull the attached ZIP file containing malware.

thousands malicious repos

What’s in the sack?

The distinctive tactic of the threat actors in this campaign is to add a link to the readme document, instructing the user to download a ZIP archive buried in the directory structure, unpack it, and run the extracted file. This pattern was consistent across all detected repositories.

The ZIP file usually contains four files:

  • an executable, such as loader.exe, luajit.exe, or another_name.exe,
  • a Windows Command Script (.cmd) file,
  • A random deco text file (.txt or .cso),
  • a DLL library named lua51.dll.
ADVERTISEMENT

Cybersecurity firm HexaStrike previously explained how this malware works and independently uncovered 109 malicious repositories across 103 accounts, after its own project was also cloned by the threat actor.

“The victim extracts the ZIP and launches a batch file. That launcher starts a LuaJIT interpreter with an obfuscated Lua script as its argument. In the samples we analyzed, that SmartLoader stage hides execution, performs a native anti-debug check, resolves its current C2 through a Polygon smart contract, downloads a functionally overlapping second-stage Lua script from a separate GitHub repository tied to the same campaign,” the report reads.

The use of blockchain-based infrastructure makes it harder to take it down.

The initial stages often pull StealC infostealer, which is advanced malware capable of stealthy data exfiltration and persistence. It can steal crypto wallets, logins, credit cards, cookies, browser histories, email accounts, Steam, Discord, Telegram, and other data.

Orchid notes that simply pasting a link to the ZIP file on VirusTotal will not reveal the malware – only when the ZIP archive itself is submitted will it be flagged.

github_zip_contents
Image by Hexastrike

AI agents are the likely target

Developers on Hacker News believe that the campaign is targeted at AI agents rather than humans. It’s harder to fool developers manually browsing GitHub to run executables from suspicious ZIP files, but AI agents searching for dependencies might be convinced by the poisoned content.

“They just need to appear on a fraction of the searches agents do to add dependencies and get lucky a couple of times to start a new infection cluster,” one of the Hacker News members, guhcampos, said.

ADVERTISEMENT

The fake repositories are convincing and appear legitimate because they retain nearly all the original code, and only the README is stripped of the technical content and poisoned with download buttons to the added ZIP.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

GitHub is removing flagged repos, but the response is inconsistent

Orchid also said that it took nearly 2 months to remove 2 malicious repositories that were clones of their project.

“I submitted a request to GitHub support asking them to delete these repositories. Two weeks passed, and nothing has changed. GitHub support hasn’t responded,” the write-up reads.

“Another month later, GitHub support sent me an email saying that they had removed these repositories.”

github removing repos

However, GitHub promptly began deleting the repositories flagged by Orchid’s script, even though the developer didn’t report them – there were simply too many of the malicious repositories.

Still, the blog post links to 3 malicious repositories that are 2 months old.

“These repositories have been around for many months, some even for over a year, and GitHub does not automatically detect and delete them,” Orchid pondered.

ADVERTISEMENT

Who’s behind the attacks?

Hexastrike assessed that the activity is tied to a single threat actor or a tightly controlled cluster.

“The campaign appears to be operated by a single threat actor or tightly controlled cluster based on infrastructure overlap, synchronized repository updates, and consistent tooling,” Hexastrike warned.

They noted the operational consistency and infrastructure overlap: ZIP files and download links were rotated, and repos were updated in batches. Stable README structures, staging patterns, and malware pointed to centralized control and automation.

However, the operator behind the campaign remains unknown.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT