01What happened

The story, straight

A researcher identified 10,000 GitHub repositories distributing Trojan malware in what appears to be a coordinated campaign. The repositories come from different contributors, carry different names, and are not forks of each other — but they share a common pattern that the researcher used to write a detection script. The scheme works by cloning legitimate repositories, then adding a commit that inserts a link to a malicious zip archive in the readme file. The researcher first discovered the campaign after searching their own project name on Bing and finding a near-identical copy with a recently pushed malicious readme change.

a researcher found 10,000 GitHub repos all pushing trojan malware through the same trick. they're from different accounts, different names, not forks — but they all follow the same playbook: clone a real repo, push a commit that drops a malicious zip link into the readme. the researcher stumbled onto it after googling their own project on Bing and finding an exact copy with a sketchy zip link added an hour earlier. the numbers are staggering and the pattern is systematic.

02Spread timeline

Where it actually started

Jun 18, 2026Origin
Researcher publishes detailed write-up documenting the 10,000-repository malware campaign.researcher drops the full write-up on their site
source
Jun 18, 2026
Lemmy user @orchid shares the write-up on Lemmy, bringing it to broader attention.write-up hits lemmy via @orchid
source
Jun 18, 2026
The write-up reaches Hacker News, gaining visibility in the developer community.story surfaces on hacker news
source

03Source receipts

Every claim, linked

orchidfiles.comFull write-up by the researcher detailing how they discovered 10,000 malicious GitHub repos, the cloning-and-injecting technique, and the detection script methodology.
primaryhackernewssignal
LemmyLemmy post by @orchid sharing the GitHub malware write-up to the broader community.
supportinglemmysignal

04What's solid, what isn't

What's solid and what isn't

Confirmed
  • A researcher identified 10,000 GitHub repositories distributing Trojan malware.
  • The repos use a shared pattern: cloning legitimate projects and pushing commits that add malicious zip archive links to the readme.
  • The repos come from different contributors and are not forks of each other.
Disputed
  • The exact malware payload inside the zip archives and its behavior.
  • Whether GitHub has been notified or has begun removing the flagged repositories.
  • The total number of users who may have downloaded malware from these repositories.
Developing
  • GitHub has not publicly commented on the campaign as of publication.
  • Other researchers may be independently verifying the 10,000-repo count and the detection methodology.

05Why it matters

The editorial take

GitHub has become critical infrastructure for software development, making it a high-value target for supply-chain attacks. A campaign of this scale — 10,000 coordinated repositories — suggests organized threat actors exploiting GitHub's trust model and search indexing to distribute malware at volume. It raises questions about GitHub's ability to detect and remove large-scale coordinated abuse campaigns before users download compromised code.

10,000 repos is not a few bad actors slipping through — that's industrial-scale abuse of a platform the entire software world depends on. github's trust model assumes repos are basically benign until reported, and this campaign is proof that assumption is expensive. supply-chain attacks through fake repos are one of the fastest-growing vectors in cybersecurity and this is the kind of scale that should make every developer check their search results twice.