A large-scale supply chain attack on GitHub has exposed a growing risk for developers and enterprise security teams, with researchers identifying roughly 10,000 repositories that were used to distribute Trojan malware. The campaign relied on cloning legitimate open-source projects, adding malicious ZIP links to README files and using repeated commit activity to make the fake repositories appear authentic.
The attack is especially concerning because it weaponised trust inside the developer ecosystem. Many of the cloned repositories closely mirrored the originals in name, description, commit history and contributor details, making them difficult to distinguish from legitimate projects at first glance. The only visible difference was often a small README change that directed users to an external download.
Repositories Built To Blend In
The malicious repositories were not simple copies. Attackers preserved the structure and visible history of the original projects, then used a recurring commit refresh pattern to keep the clones active and visible in search results and activity feeds. That made the repositories look alive, credible and recent — exactly the qualities developers often rely on when deciding whether to trust a project.
Researchers found that many of the repositories did not appear to be direct forks, confirming that the campaign was deliberately engineered to deceive. In many cases, the ZIP files behind the README links appeared harmless to URL scanners, but the full archive triggered malware detection once downloaded and inspected.
Malware Hidden In Plain Sight
The payload delivered through the archives was identified as Trojan malware, including strains such as SmartLoader and StealC. The attackers appear to have designed the delivery method to bypass basic web-link filtering while still getting malicious code onto developers’ systems once the archive was opened.
That tactic is particularly dangerous in modern software workflows, where developers increasingly depend on public code repositories for scripts, libraries and reference implementations. If a malicious clone is mistaken for the original, the compromise can quickly spread into build systems, internal tools and downstream applications.
AI Workflows Raise The Stakes
The risk is growing as AI-powered coding assistants and agentic developer tools increasingly query public repositories automatically. These systems often rely on repository visibility, search ranking and update history, which makes them vulnerable to manipulation by attackers who know how to game those signals.
Cybersecurity experts say the campaign shows how trust in open-source ecosystems can be exploited at industrial scale. For enterprise teams, the lesson is clear: external code must be verified carefully, ZIP files should never be trusted blindly and repository history alone is no guarantee of safety.
