CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script

Cybersecurity News Archived Jun 22, 2026 ✓ Full text saved

A large-scale malware campaign has been uncovered on GitHub after a researcher identified more than 10,000 repositories distributing Trojan-laced archives, raising concerns about abuse of the platform’s trust model and limitations in automated detection. The investigation began when the researcher noticed a cloned version of their own repository appearing in search engine results. While the […] The post Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script appeared first on

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Compromised 10,000+ GitHub Repositories to Inject Malicious Script By Abinaya June 22, 2026 A large-scale malware campaign has been uncovered on GitHub after a researcher identified more than 10,000 repositories distributing Trojan-laced archives, raising concerns about abuse of the platform’s trust model and limitations in automated detection. The investigation began when the researcher noticed a cloned version of their own repository appearing in search engine results. While the project name, description, and commit history appeared identical, a newly added commit introduced a malicious link in the README file pointing to a downloadable ZIP archive. Similar behavior was later observed across multiple repositories with different names and contributors, with no direct fork relationships, suggesting a coordinated campaign rather than isolated incidents. Closer analysis revealed a consistent pattern across these repositories. Attackers replicated legitimate repositories, including full commit histories and contributor profiles, likely to establish credibility. GitHub Malware Campaign Impacts They then periodically modified the README file to include links to external ZIP archives. These commits were often overwritten and re-pushed every few hours, typically labeled “Update README.md,” a tactic that may help evade detection mechanisms or maintain visibility in indexing systems. The linked ZIP archives contained a small set of files, including command scripts, executable loaders, and dynamic libraries. While individual file links often returned no detections on VirusTotal, downloading and scanning the full archive revealed Trojan malware. This indicates the attackers may be using evasion techniques that rely on splitting or obfuscating payload components to bypass automated scanning tools. To identify the scale of the campaign, the researcher developed a script using GitHub event data from GH Archive. Instead of scanning all repositories, which would be impractical due to API rate limits, the script focused on repositories with frequent commit activity. Out of approximately 16 million commit events analyzed over five days, around 3,000 repositories showed suspicious update patterns. After refining filters to exclude bots, enforcing contributor diversity, and detecting anomalous commit timing, the script ultimately identified roughly 10,000 repositories that matched the malicious pattern. According to Orchid in a report shared with Cybersecurity News, many of the compromised repositories had remained undetected for months or even years. Researchers also found that several repositories were updated only infrequently, challenging the assumption that rapid commit activity is a defining trait of malicious repositories. Additional indicators included commits with no actual file changes and consistent naming conventions, further highlighting automated deployment methods. The campaign appears designed to exploit GitHub’s visibility in search engines and developer workflows. By cloning newly created or low-traffic repositories, attackers increase the likelihood of appearing in search results for niche queries. Preserving commit history and contributor metadata adds legitimacy, making it more likely that users will trust and download the malicious files. Despite reporting efforts, remediation has been inconsistent. GitHub removed repositories explicitly listed by the researcher. However, newly identified ones remained active, suggesting a reactive rather than proactive enforcement approach. Public reports and earlier research indicate this tactic has been in use since at least early 2025, with similar campaigns distributing malware families such as SmartLoader and StealC. The findings highlight a broader challenge for code hosting platforms: detecting malicious behavior that mimics legitimate development activity. Without scalable analysis of repository content, commit patterns, and external links, such campaigns can persist undetected. For developers, the incident underscores the importance of verifying external downloads, even when sourced from seemingly legitimate repositories. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Abuse Claude.ai Shared Chat Feature to Host the ClickFix Social Engineering Instructions AutoJack – A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions Hackers Use Weaponized Windows Shortcuts to Spread Crypto Clipper Across USB Drives Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices Latest News Cyber Security Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours Tech News Anthropic’s Claude AI Back Online After 90-Minute Global Outage Cyber Security News FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices Cyber Security GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes Cyber Security CyberSentinel AI with 33 Security Tools, Including Nmap, SQLMap, ZAP, and uses Claude, GPT
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗