I found 1000 GitHub repos with malware. Can we get them deleted?
41 comments
·February 28, 2025klaas-
rwmj
As another data point: MSFT have some sort of open mail server/service called onmicrosoft.com which (in my experience anyway) is only being used to send out fraudulent paypal messages. Because it lets the spammer set the From to service@paypal.com and also contains valid DKIM etc, it sails past spam filtering. There are so many complaints about this on (real) paypal.com forums, but Microsoft are apparently unable to do anything about it.
mcny
I use (redacted).on Microsoft.com tenant which is free of cost to me as a sandbox to learn about office 365 admin stuff. I don't work on it every day but it is nice to have this sandbox. I don't send spam or phishing emails. I don't send emails from this tenant at all to others, only to my own email addresses or to people I know for testing purposes.
rwmj
Presumably you don't send out emails appearing to come from service@paypal.com saying things like "Reminder: You've still got a money request", with an HTML body that looks exactly like Paypal but contains a fraudulent link and phone number, so you should be fine.
chrisandchris
> 9 years ago
> This is still coming. The work is being completed now and we will be able to expose it in a few months.
I'm glad the official response has no date associated, so you won't know whether they published that yesterday of 8 years ago.
kennysoona
There used to be some sort of forum they had, I don't remember what it was, MSDN forums or Technet or something, but it used to dominate search results, and all the answers were from like, senior hobbyists who couldn't suggest much more than restarting or suggesting checking for updates. Maybe that was before every search result was Reddit or SO though.
Galanwe
That's MSDN, and these "senior hobbyists" were given a badge by MS to look credible: "MVP" (most valuable professional).
Cherry on top: you used to pay to have an MSDN membership and access this wonderful community.
To be fair though, the early MSDN was really good, and in a distant past MVP was a real achievement (say early 2000s). Now it's a weird mix real issues and "my printer blinks red, how to fix?"
I don't think anyone reads MSDN at Microsoft anymore, it's a deadland, but I guess they generate some metrics of user engagement and product feedback from there.
kennysoona
I wasn't even talking about people who paid for a cert, just people signing up to try and help. They are generally more annoying then helpful to people who can do anything more than install and uninstall programs.
null
t_believ-er873
If you've identified GitHub repositories hosting malware, you can report them directly to GitHub via their Abuse Report page, providing links and any relevant details. GitHub typically removes repositories that violate their Acceptable Use Policy, but response times may vary. If the malware is actively being used for harm, you may also consider reporting it to security organizations or CERT teams.
jeroenhd
One thing I appreciate about Github is that every time I've reported something, I've felt like an actual human went through my report and actually read the things I wrote. Perhaps it's a bit silly to appreciate basic human interaction, but for so many online environments the only interaction you'll ever see is done through chatbots and automated work flows.
nubinetwork
> response times may vary
Waiting six months for Github to remove malicious repositories is unacceptable.
dcow
Why should malware repos be deleted?
Serious question. The repos aren't themselves doing harm, are valuable for research, and would be distributed some other way if GH removed them. Maybe a banner “be careful! others have reported that this repo may not do what it claims. proceed with caution” would be a more appropriate response?
jillesvangurp
There is an official policy on this: https://docs.github.com/en/site-policy/acceptable-use-polici...
So, sounds like the Github team should take some action here.
timsh
I don't think that repositories presented and named as Malware or Virus should be deleted - they're good for educational and research purposes I guess. I specifically mean those that impersonate as legit programs (if you can call a "free download" or "mod" apps legit).
qwertox
Maybe a special flag with a passcode which must be passed to `git clone`, where this passcode is shown in such a banner. To make sure you've read the banner.
ale42
To me those repos seems an abuse of what GitHub is for. I'm 100% fine with a repo hosting malware if it's there for security researchers and anybody else interested in the topic to study, etc. Even better if there is also documentation. I'm not fine with using GitHub (or any other site) as a distribution platform for malware, hiding the fact that the software is malicious in the first point.
aqueueaqueue
Good point instead of deleting, treat it like an invalid https cert. Lots of warnings and are you sures before you get to clone or fork.
42lux
Only if they disguise as non malware I guess?
episteme
> would be distributed some other way if GH removed them
Maybe? But definitely to less people? I don't see the argument for allowing them.
Cthulhu_
Doesn't distributing malware break a number of laws?
sim7c00
totally depends on where u live. id say 99% of places, u wont. also, research purposes is ok if its obvious. u can download malware in lots of places, sources, so taking them off of github really wont do anything either.
personally if i post such things i will either ensure it has detections everywhere or somehow neuter it. usually for research you dont really need to have fully functioning malware. just enough to prove some question. so despite posting sources of malware being ok, and it being available in lots of places, i do think, especially for advanced things, its better not to contribute it freely... but to each their own. i'd advise strongly against just outright posting functional cyber weapons, not because its illegal, but simply because its really not needed. there is more bad potential than positive use compared to broken or incomplete versions.
yuppiepuppie
What is the definition of distribution? If I posted a code snippet of malware on github or my personal site for educational purposes, does that count as distribution?
aerzen
I think the core of problem here is that applications are not isolated on the OS level.
If I download and install a mod for minecraft, it should never have access to anything on my computer, except for the minecraft game files itself. If I open a spreadsheet in Excel, the excel process should have access only to that file and it's own config files.
Something similar to how android works, were the app has to explicitly ask the user to access their files.
kevindamm
You're describing Qubes, which is great but I found it tedious to use as a daily driver.
MaxGripe
In my opinion, Microsoft’s entire support is at a tragically poor and hopeless level. GitHub is flooded with open issues that remain open for years without any response from Microsoft. The same applies to Azure. The technical support there is also truly terrible, and it’s easy to find horror stories online about people losing access to their accounts and being unable to restore them.
ValdikSS
When GoodbyeDPI malware was spreading using the similar template (lots of forked repos with password-protected archives), Github abuse team have instantly deleted it upon my request. Mean response time was 10-15 minutes.
I also deleted files on the file sharing websites, such as mediafire and mega.
My abuse emails followed the clear and understandable email template: your service is hosting malware, here's the link, it's password protected and the password is X, here are virustotal results, here's the original repo which it impersonates, and I want you to delete it.
ValdikSS
However I remembered reporting the exact "cheats/cracks" from the post as well, and the response time was up to 5 days.
teddyh
If there is no malware allowed on GitHub, I guess malware researchers have to use somewhere else to host their code. Which would be a preferable outcome, honestly.
neutralx
First image in the article reminds me of draw.io diagrams. Is this a drawio theme/library or some other tool was used to create it?
philipwhiuk
https://excalidraw.com/ probably
KomoD
Fun fact: if you come across one of these discord webhooks you can delete them.
Just curl -X DELETE https://discord.com/api/webhooks/[...]
Etheryte
I'm not familiar with the context here, could you please elaborate? If I understood correctly, any unauthenticated user can delete the webhook? I can currently find hundreds of matches for that on Github, anyone could just go and delete them all?
Fokamul
Ooh, these types of malwares are very old.
Most fun you can have is to generate real-like looking data (there are tools for that) and mass send them to these discord webhooks.
;-)
L-four
An unscrupulous individual might even send malware.
nottorp
"Or why you should never download game mods"...
Like everything else, you shouldn't blindly search on github - or any other download site.
Only download from links referred from the official site if there's any, or the game's forum, or any other trustable and human reviewed source.
neuroelectron
Is it really a problem to host malware on github?
sylware
You are still on microsoft github, or a any git hosting which is not noscript/basic (x)html friendly?
Shame on you.
I think Microsoft has a general problem with getting rid of unwanted things within their eco-system. I keep complaining that their feedback.azure.com portal is filled with spam/malware comments and links, but even internally their teams can't reach anyone to get it fixed. Example https://feedback.azure.com/d365community/idea/9d0b22d8-c025-...