Researcher Uncovers 10,000 GitHub Repositories Distributing Trojan Malware via ZIP Archives That Evade VirusTotal URL Scanning

A security researcher documented roughly 10,000 GitHub repositories systematically seeded with cloned legitimate project history and periodically refreshed README files containing links to ZIP archives that carry Trojan malware — in a campaign running undetected for at least 18 months. The archives exploit a VirusTotal gap: submitting only the download URL returns zero detections, while directly uploading the ZIP reveals the Trojan, letting the campaign evade automated link-based scanners used in CI/CD and dependency-review workflows. The post reached 722 points on Hacker News on June 18 before GitHub removed the reported repositories following disclosure.