Someone is massively faking repositories and stars on GitHub to spread malware.

[chmod777john]

Select Topic Area

Show & Tell

Body

I was originally analyzing GitHub repositories, trying to find those with the fastest star growth in the last two days, but I unexpectedly discovered a large number of "ghost repositories."

These repositories were created by different accounts, but they have very similar creation times and total star counts. The content is also essentially identical. They are disguised as certain toolkits, inducing users to download a certain exe file, but there is not a single line of code.

Such repositories, within just a few hours of creation, have almost 200 stars, which is clearly abnormal. Based on past experience, they will be deleted after existing for a while.

Therefore, I have archived these pages on GhostArvhice, so even if the attackers delete the repository and run away, the original appearance of these repositories can still be seen.

ULS's hidden by staff

Suspect

I found this 3 accounts.

https://github.com/G4tito

https://github.com/BrunoSobrino

https://github.com/elrebelde21

G4tito stared many phishing repos.

BrunoSobrino and elrebelde21 followed G4tito.

BrunoSobrino claims to be member of "The Shadow Brokers"(a hacker group)

BlockChain evidence

I am the first one who found this attack.

The tools i use

This tool is initially used to find out which repo gain most stars during recently 2 days. Accidentally found this attack.

ULS's hidden by staff

[chmod777john]

Can anyone inform GitHub official team about this attack? And find out who did this.

[shinybrightstar]

Hi @chmod777john , 👋🏻 We really appreciate you flagging this. The best route to get this to the proper GitHub team is to use our abuse reporting tools. Here's all the info:

• Reporting abuse or spam
• Reporting a user
• Reporting an issue or pull request
• Reporting a comment

You can report behavior and content that violates community guidelines and terms. We are going to close this post, but for this and any future incidents, please refer to the links above.

Thank you!