A developer uncovered 10,000 repositories on GitHub that silently hand out Trojan malware. Each repo, created by a different contributor, clones the full commit history of another project and then deletes the last commit every few hours, replacing it with a single README change that links to a malicious zip archive. The pattern enabled a script to flag the hidden threats.

To locate them, the author leveraged gharchive's daily event dumps, filtering for push events that hit a repo 2–10 times every 10 hours. From 16 million commits, only 3,000 fit the cadence, but further API calls narrowed the list to 14 unique projects. After adjusting the criteria to include 1–24 pushes per day, the count jumped to 40,000, with 10,000 matching the Trojan pattern.

The findings expose a blind spot in GitHub’s security: repositories that repeatedly overwrite commits evade automated detection, while the embedded zip archives slip past virus scanners until the file itself is submitted. The author has published the full list and a reusable “Git Malware Finder” script on GitHub, urging maintainers to audit repos that update README files unusually often.