A developer has published a detailed account of finding 10,000 GitHub repositories distributing Trojan malware, all under different contributor names, none of them forks of each other, yet all following one pattern.
The tell is the churn. Every few hours each repository deletes and re-pushes an identical commit that swaps a download link into the README, keeping the listing fresh and repeatedly dodging takedowns. The author found them by downloading GitHub's public event archive, gharchive, and filtering for repositories updated on that short cycle. The evasion is the point: a link submitted to VirusTotal returns zero detections, while the archive it points to is flagged as a Trojan once downloaded. GitHub took weeks to act after a support request.
As coding agents and developers increasingly install whatever a search result surfaces, a layer of SEO-poisoned repositories that scanners miss on first contact is a supply-chain problem that gets worse, not better, as more of the fetching is automated.