By ByteBot
A security researcher published findings on June 18 showing approximately 10,000 GitHub repositories quietly distributing Trojan malware. These are not obviously sketchy repos. They have real commit histories, real contributor profiles, and real source code — because they are clones of legitimate projects. The only thing modified is the README, which links to a ZIP archive that installs SmartLoader and StealC on Windows machines. GitHub deleted them after the story went public. That is the problem: it took a public blog post and front-page Hacker News exposure to get action on repositories that had been running for months.
How the Attack Works
The mechanic is straightforward and effective. Attackers clone a legitimate GitHub repository wholesale, preserving every commit, every contributor name, every line of source code. They then overwrite the README with a link to a malicious ZIP archive. Every few hours, that commit is deleted and an identical one pushed — same change, same commit message: “Update README.md” — likely to keep the repo appearing fresh in GitHub’s activity feeds and search results.
The reason this works at scale: the download link itself scans clean on VirusTotal. Zero detections on the URL. Only scanning the ZIP file directly surfaces the Trojan. Most developers check the link, not the archive. The researcher caught the campaign by filtering for repositories updated between one and 24 times per day with that exact commit message pattern — a trivially detectable signature that nevertheless persisted across 10,000 repositories for months without GitHub acting.
Your AI Coding Agent Is Now Part of the Attack Surface
Here is the part that makes this more than a story about careless downloading. The Hacker News discussion that followed flagged something the original writeup underplayed: these repositories may be specifically optimized to catch AI coding agents, not just human developers.
AI coding tools — Claude Code, Cursor, GitHub Copilot, and others — autonomously search GitHub to resolve dependencies, find code examples, and suggest imports. They do this without a developer ever manually opening a browser. One commenter put it plainly: the repos “appear on a fraction of the searches agents do to add dependencies and get lucky.” The attack surface has quietly expanded from developers who manually download ZIP files to any agentic coding workflow that queries GitHub. That is a significantly larger surface than most teams have accounted for.
What the Malware Actually Does
According to Hexastrike’s technical breakdown of an earlier SmartLoader campaign, the infection chain is deliberately quiet. SmartLoader runs as a silent LuaJIT process with no console window and built-in anti-debug checks. Its command-and-control server is resolved not through a fixed IP but through a Polygon blockchain smart contract — meaning traditional IP blacklisting offers no protection. After establishing persistence via two separate scheduled tasks (one of which re-downloads fresh payloads from GitHub itself), SmartLoader passes execution to StealC.
StealC harvests browser credentials, API keys, cloud access tokens, and cryptocurrency wallet data. Developers are high-value targets precisely because a compromised developer machine typically holds production credentials, GitHub tokens, AWS access keys, and direct access to internal systems. The malware earns its payload cost many times over from a single successful infection.
GitHub Sat on Abuse Reports for Months
Some of these repositories existed for over a year. Multiple Hacker News users reported filing abuse reports months ago; GitHub took no action. The repos were removed only after the researcher published findings and the story hit the front page. GitHub has no automated scanning for embedded archives or executables in repository downloads. The “Update README.md” commit pattern — repeated up to 24 times per day across 10,000 accounts — was apparently not on anyone’s detection radar.
This is not a complex technical failure. It is a prioritization failure. GitHub is a Microsoft platform with Microsoft’s resources. Detecting repositories that update only their README with suspicious archive links at high frequency is not a hard problem. Choosing not to solve it is a different matter. Moreover, this campaign does not exist in isolation. The Miasma worm compromised 73 Microsoft-owned GitHub repositories in early June 2026 and was specifically designed to trigger when repos were opened in AI coding tools including Claude Code, Cursor, and VS Code. Separately, the Megalodon CI/CD campaign has infected 3,500-plus repositories with credential-stealing YAML files that execute during CI pipelines.
The pattern is consistent: GitHub is under coordinated, sustained attack across multiple vectors, and its defenses are not keeping pace. ByteIota has also covered the parallel supply chain threat in 15 JetBrains plugins that stole AI API keys and 144 Mastra npm packages that were backdoored — the repository attack is the same instinct applied to a different trust surface.
What Developers Should Do Now
Until GitHub builds meaningful automated defenses, here are concrete steps from the researcher’s original report:
- Never run code from a ZIP linked in a README. Official releases come from the Releases tab, not a README download button. If a README offers a ZIP, treat it as a red flag by default.
- Scan ZIP files directly, not download links. Upload the archive itself to VirusTotal before extracting. The link will scan clean; the file may not.
- Know the four-file pattern. A ZIP containing a batch launcher (Application.cmd or Launcher.cmd), a LuaJIT executable, lua51.dll, and an obfuscated .txt or .log file of roughly 300KB is the SmartLoader delivery signature. Do not run it.
- Audit your AI coding agent settings. If your agent can autonomously resolve dependencies or reference external repositories, understand what trust boundaries exist. Most agents follow instructions without verifying repository authenticity.
- Report suspicious repos with specifics. Include the commit pattern details when filing abuse reports. Generic reports appear to go unactioned; technical specifics may route to the right queue.
GitHub’s failure to act proactively on this is frustrating, but in the meantime, the verification steps above are straightforward. The attack works because developers extend trust to GitHub by default. Withdraw that default trust for any repository offering a README-linked download, and this particular vector stops working.
