10,000 github repos distribute trojan-laden zip archives

A security researcher reported that 10,000 distinct GitHub repositories host zip archives containing a Trojan payload [DevTo]. The repositories repeatedly delete and recreate a single commit that adds a link to the archive in the README file, using a uniform commit pattern: every few hours the previous commit is removed and a new commit titled “Update README.md” is pushed, modifying only the README to insert a download link [GitHub Blog]. The linked archive always contains four files—Application.cmd (or Launcher.cmd), a loader executable (loader.exe, luajit.exe, or a renamed .exe), a random-named .cso or .txt file, and lua51.dll. VirusTotal scans the archive as clean, allowing the payload to evade automated detection [DevTo].

The repositories are created by unrelated contributors, have unique names, and are not forks of each other, making bulk detection difficult. By publishing fresh repositories every few hours, the attackers ensure that each repo appears near the top of Google and Bing results for low-volume queries, increasing the chance that unsuspecting developers will download the Trojan. Finding 10,000 repositories with the same commit cadence and identical payload indicates a concerted effort rather than isolated incidents, raising concerns about organized threat groups targeting open-source ecosystems [GitHub Blog].

GitHub announced a bulk removal of the identified repositories on June 19, 2026, and pledged to tighten its detection heuristics for repeated commit patterns and executable payloads in archives [GitHub Blog]. The fact that these repositories were able to evade detection for so long highlights the need for more advanced security measures, such as combining commit-frequency analysis with content-level inspection.