Comment by mustaphah

1 day ago

This is just one flavour of abuse. GitHub does NOT give a shit about the scale of the malware problem.

I've seen so many forms of malware repos working on a GitHub trends newsletter [1], mostly about crypto, NFTs, KMS, and similar stuff.

In the first runs of the project, I was so surprised by tens of malware repos that looked like trending repos. A lot of them share some common traits that made filtering feasible:

- Made by a fresh GitHub user - many created in the past few days.

- The average creation date of Stargazers accounts is very close to the repo creation date. If you take the mean time diff, those bad repos get exposed.

I reported 10s of malware repos, but then I gave up as I felt GitHub was not really doing enough to fight back. I was like... these guys don't seem to care, why should I?

God knows how many people have been abused by these malware repos on GitHub.

---

[1] https://github.com/mhadidg/gh-trends

10 comments

mustaphah

Reply
cromka  1 day ago

This is the problem with software/services being taken over by big entities: they no longer have to care under the umbrella of "too big to fail".

frereubu  1 day ago

I have no idea of the kind of investment this would take in terms of time and money, but is it beyond the realms of possibility to run code submitted to GitHub through a basic filter? Genuine question - I have no experience of systems at that scale. But the fact that Microsoft is able to replace URLs in emails with ones that redirect through their systems so they can block malware URLs makes me feel like it should be possible.

  • mustaphah  1 day ago

    You can probably catch a big pie of those with simple heuristics to flag suspicious repos for expensive review (human- or AI-based). I did that with public account & repo data, and I believe they can do much more given the amount of private data they have access to.

    I'm talking about 10s of repos flagged in a few hours. I don't think the volume would be that big for an expensive review.

rozab  1 day ago

If most malware repos are created in the last few days by a fresh user, then it sounds like GitHub is taking action against them? Or where are the old ones?

  • mustaphah  1 day ago

    Well, my trend detection logic rewards recent stars more than older ones [1]. Recency is an important factor for many custom and public tools that track GitHub trends. I think the bad guys intentionally recreate repos - I actually noticed that.

    That being said, they do take action if you report the repo. So I'm guessing good users are doing the heavy lifting here with reporting. I don't believe GitHub is taking enough proactive measures, or maybe they do, but it's not working well, obviously.

    https://hadid.dev/posts/github-trends/#growth-based-approach

  • pixl97  1 day ago

    Yea, I'd change it to, they care about the malware and will remove the repos, but above everything else they don't want to slow down the signup flow

socalgal2  1 day ago

Most of HN doesn't give a shit about the malware problem. They will happily click "Give XYZ App ... permission to act on your behalf" to all of their repos with zero knowledge of what permissions are being requested. Github's Auth system doesn't tell the user what permissions are being requested

Note: Github has 2 auth systems. OAuth, and Github Auth. OAuth lists permissions but most apps use Github Auth which does not. So that app that gives you a badge or lets you comment could asking for write permission all your repos. You have no idea.