One Guy With a Laptop Found 10,000 Fake GitHub Repos Booby-Trapped to Rob You AND Your AI
Nobody at GitHub noticed for over a year. One bored dev noticed his own code got cloned, pulled a thread, and the whole sweater fell apart.
10,000 Trojan repos. 40,000 updated every few hours to dodge scanners. 0 detections on the first virus scan. 1 solo researcher who mapped it all using free public data.
A dev who goes by Orchid noticed copies of his own project floating around GitHub — same code, same fake “contributors,” plus a sneaky download link that wasn’t his. He kept pulling. Turns out it’s a malware factory hiding in plain sight, and the new twist? It’s baiting AI coding bots too. Full writeup is here on his blog, and Cybernews broke it wider.
