This is getting to be embarrassing. It’s been almost a week of trying to alert GitHub to multiple spoofed repositories serving malware. Everyone appears to be sleeping on the job. The malware is easily compared to known IoCs, so it’s even easily automatable.

Can someone at GitHub wake the hell up already and stop serving malware?

Here’s an obvious one: https://github.com/ojas1103/CircleProgressKit

And others: https://github.com/AkashiKensei/Zenix-Account-Creator

https://github.com/MinhDuong2571/DNSrce

https://github.com/xcwv667/eth-input-call-data-builder

https://github.com/ForgedRice/deepseek-api-client

https://github.com/Losnunes/SHOOTER

https://github.com/Alexbochechudo/encode-reactjs-intermediate-2024

https://github.com/Dawsandos/monster-energy-theme/releases

https://github.com/popopopopopopopopopopopopopopo/TuneText

https://github.com/Cynicave/Crunchyroll-Account-Checker