“There are 10,000 repositories that exactly matched the pattern. That’s 25% of the total. Each of these repositories contains a zip archive with a Trojan.”
A researcher found ten thousand GitHub repos pushing Trojan malware, all using the same trick of README-only commits linking to infected zips. They cloned real repos with real histories to look trustworthy. GitHub only acts when someone files a report, which means it does not scan for the obvious thing. A quarter of the matched set was malware and the platform shrugged.