[quote=UCyborg post_id=1421341 time=1778269743 user_id=31848]
I reported [url=https://github.com/akutayo2/GPlayApiCli]this repo[/url] almost 3 weeks ago, but still nothing.
[/quote]

github is owned by the biggest malware of em all, microsoft

How do you know it's malware?

I was thinking the same. Circumventing Google's user identification/authentication might break their terms of service, but not malicious on its own.

The user in question has forked the repository and then the only change was to replace the release download. So yes, there's a good chance they've infected it with malware.

https://www.virustotal.com/gui/file/3f22e6637 … ed68148f483c545

Somehow, the only reason it ended up on VirusTotal, is me. 😀

Arbitrary ZIP inserted into the source tree, the malicious author force-pushes the same commit multiple times a day to inflate his contribution count, a legitimate developer would totally do that. /s

Repo was published as new, bypassing fork function (valid way to go in some cases, but the ill-intent in this case), readme changed to direct user to the malicious payload, the ZIP itself contains Lua interpreter, obfuscated script and a CMD to invoke Lua interpreter to execute the script. The script silently generates additional executables and installs scheduled tasks to run them.

That report on VirusTotal is not complete, it doesn't answer the question what generated executables do.

And that POS appears on top on popular search engines while the legitimate repo is hidden from plain sight. 😠 Though I haven't figured out Gradle / Java to get it to run...

User is doing this probably to make the Github graph green

UCyborg wrote on 2026-05-08, 19:49:

I reported this repo almost 3 weeks ago, but still nothing.

These kinds of "supply chain attacks" are becoming increasingly prevalent I've noticed and it's very hard to get the attention of administrators unless this is some "ABSOLUTELY CRITICAL" internet appliance.

I'd inform the main upstream repo that's being victimized by such poisoning and see where it goes from there.

The popularity of vibe coding opens the door to a lot of these types of issues. Most people using LLM's to code are not going to verify the legitimacy of the random github repos being using.

I bet that is the scenario here. The bad actor forks a repo, modifies it for bad purpose, makes it look active/maintained, gets it to rank in search results, then waits for LLM models to utilize it when people vibe code stuff.

I'm not a developer, just dabble a bit. If I'm seeing this regularly in Github, then the problem is probably widespread.

I've never been comfortable with having the primary site for my stuff being under some other control...

For years I ran my own site ... and all my downloads lived there.

I also used a "registered" edition og PKZIP to create the .ZIP downloads with a verification code (not that I trust it that much now - I know it's been hacked)

When I died in 2019 I didn't "come back" till after the domain had expired and now someone else is paying for it, often kindly offers to rent it back to me... (as I decided to retire after "the event", I keep declining)

But... a friend has a site and he's giving me some space on it which is where my downloads live now... This site is old/boring HTML and auto-generated by a tool I wrote... all download listings show the revision date in the description.

I also maintain a database of "check sequences" for each downloads, and provide a tool to validate the .ZIP matches the database. The actual Check/CRC methods are non-standard, quite secure (I worked for a time in the banking industry) and I've never published any documentation describing how it works.

The database is posted separately from the tool (so you only have to get the tool once). The tool is both a .EXE and a .DVM (much less known, harder to hack)

And it does seem that lots of people interested in what I used to do can find it as I get lots of correspondence about it ... so far this has been working well!

DracoNihil wrote on 2026-05-09, 13:26:

UCyborg wrote on 2026-05-08, 19:49:

I reported this repo almost 3 weeks ago, but still nothing.

These kinds of "supply chain attacks" are becoming increasingly prevalent I've noticed and it's very hard to get the attention of administrators unless this is some "ABSOLUTELY CRITICAL" internet appliance.

I'd inform the main upstream repo that's being victimized by such poisoning and see where it goes from there.

It's been a month and nothing happened. Nothing at all.

The report you sent to the actual repo got no response, and that "fake" repo is still there with the attacker still force-pushing the commit...

I get a 404 response from Github trying to access the clone page, so maybe they woke up.

I kinda forgot about this. The issue on the legitimate repo was opened by another person, mine was sent through official form for reporting these things to GitHub, so it's not visible anywhere publically.

Anyway, good to see it solved.

Rwolf wrote on Today, 09:09:

I get a 404 response from Github trying to access the clone page, so maybe they woke up.

Can confirm. Looks like the attacker (along with the repo) was banned only just now.

When I posted my previous message the repo was still there...

DaveDDS wrote on 2026-05-09, 17:06:

I've never been comfortable with having the primary site for my stuff being under some other control...

For years I ran my own site ... and all my downloads lived there.

In my case, the stuff I occasionally publish is probably better off somewhere else. Because otherwise I'd have to actively care about self-hosting (or some other means to register domain and pay for some means of hosting). And considering there literally isn't anything in this world that keeps me interested for a longer period... As for others' stuff, can't really control where they put it.

It's a bit like videos and YouTube in a way in general. How many people do you know that care about self-hosting or running their own site in a way to put videos on rather than just put them on YouTube?

I abandoned github years ago due to very subtle, and frankly dangerous design, issue of their forking system. Considering their entire business model is built around how their proprietary forking method works, I simply just gave up rather than pursue the issue with them directly, or share it and have to argue with random internet idiots. Scrapping their code would likely never go over well with them either. Since then, they semi-cleaned up the issue. Seeing another method posted here that games the system is scary knowing how much people trust github. The XZ sabotage also is sort of another example of blind trust on git hub, though that exploit path was more deliberate. Someone smart is going to put together a well crafted, socially engineered mass exploit one of these days, because devs are blindly pushing things through.

I echo other people here. Devs shouldn't be conditioning people to access github as their project front page. Host your own front page and primary repository and mirror. Don't rely on github's perks at all. The tools can be fine for individual developers if that is where they want to do their work. Use a traditional pull request system. Rely on git's original distributed concept, and not any centralized service.