Talk Around Town: One Pseudonymous Researcher Claims 10,000 GitHub Repos Are Quietly Stealing Your Crypto

THE QUICK TAKE

Researcher Orchid claims to have mapped roughly 10,000 Trojan-distributing GitHub repositories—about 91 times the 109 that cybersecurity firm Hexastrike had previously confirmed in the same payload family.
According to Orchid's blog, the repositories dodge automated detection by cycling their most recent commit every few hours under the label 'Update README.md,' resetting the clock on suspicion triggers.
GitHub has not publicly confirmed the findings, and TechTimes reports that GitHub formally rejected related design-flaw reports, classifying the exploited commit-display behavior as a non-security concern.

What Folks Are Sayin' Down at the Feed Store

Well, butter my biscuit and call it Tuesday — a solo developer posting under the handle 'Orchid' dropped a barn-burner of a disclosure on June 18, 2026, claiming to have located roughly 10,000 GitHub repositories that have been handing out crypto-stealing Trojan malware like free biscuits at a church potluck. According to the Orchid Files blog, every last one of those repositories belongs to a different contributor, carries a different name, and shares no fork relationship with any of the others — yet they all carry the same rotten payload.

Cybernews and TechTimes both covered the disclosure on the same day and corroborated the general scale and technical mechanism Orchid described, which is about as close to a second opinion as a pseudonymous blog post is likely to get. The finding, according to Orchid, is that these repositories have been sitting on GitHub for many months — some north of a full year — without GitHub's automated systems flagging or yanking them.

The Sneaky Hog in the Pen: How the Evasion Works

Now here's where it gets slicker than a greased pig at a county fair. According to both the Orchid Files blog and TechTimes, the malicious repositories run a little routine where they wipe their most recent commit and push a brand-spanking-identical replacement every few hours, every single time labeled something boring like 'Update README.md.' The apparent point of this square dance, as Orchid describes it, is to fool security algorithms that are trained to holler at new suspicious activity rather than at old suspicious activity that's been quietly mooing in the corner for fourteen months.

The campaign also reportedly targets newly created repositories rather than high-traffic projects, which, according to TechTimes and Cybernews, helps these fake repos float near the top of search results for low-competition queries while avoiding the kind of community scrutiny that a popular project would attract. It's like setting up a counterfeit bait shop on a dirt road nobody famous ever drives down.

What We Actually Know for Certain

Here is the part of the conversation where we separate the verified catfish from the alleged catfish. Cybersecurity firm Hexastrike had already independently documented the same payload family back in April 2026, per TechTimes, having spotted 109 repositories — which means there is genuine third-party technical corroboration that this payload is real and this campaign exists. What Hexastrike has not confirmed is Orchid's far larger count of roughly 10,000 repositories; that figure comes entirely from Orchid's own automated detection script.

The broader pattern of GitHub being used as a malware distribution highway is, however, about as firmly established as the humidity in August. The Hacker News documented a separate trojanized-repository campaign in June 2025. Help Net Security covered the GitVenom campaign, in which hundreds of repositories distributed malware across multiple years. Risky Business Media noted in March 2026 that GitHub's malware problem was genuinely worsening. CISA issued a supply chain alert in May 2026 covering the Megalodon GitHub Actions poisoning campaign. And StepSecurity documented the Miasma worm reaching Microsoft's own Azure GitHub organizations on June 5, 2026, resulting in 73 repositories being disabled.

What Nobody Has Pinned Down Yet

Orchid's 10,000-repository count has not been subjected to an independent full-scale audit — no outside party has crawled the entire list and blessed every entry. The threat actor's identity is a complete mystery. Hexastrike assessed that the operation looks like the work of a single actor or a tightly coordinated group, based on overlapping infrastructure and synchronized updates, but Orchid's own writeup notes that all the repositories show different contributors, and nobody has publicly identified who is actually running this circus.

GitHub has not put out any public statement confirming or disputing Orchid's findings. According to TechTimes, when Orchid first reported individual repositories, GitHub Support took roughly six weeks to respond and confirmed only those specific repositories were removed — leaving the broader pattern unaddressed. TechTimes also reports that GitHub formally rejected design-flaw reports related to the commit-display behavior this campaign exploits, classifying it as outside the scope of security concerns, a characterization GitHub has not publicly elaborated on in the context of this specific disclosure.

The Part Where Orchid Got Fed Up and Did It Himself

When you've got 10,000 bad neighbors and the homeowners association won't return your calls, apparently you build your own fence. According to TechTimes, Orchid released an open-source detection tool called Git Malware Finder along with a full list of the identified repositories, explaining that GitHub's security team had not responded to bulk disclosures and that individually reporting thousands of repositories was about as practical as shoveling manure with a teaspoon.

The tool and list are posted publicly on GitHub itself, which means any developer or organization willing to do the legwork can cross-check their own dependencies against Orchid's findings. That is about the closest thing to independent verification available right now, though it still relies on Orchid's underlying detection logic rather than a fully external audit.

Our Analysis: GitHub's Got a Barn Full of Wolves It Can't Count

This is analysis, not reporting: the structural problem Orchid describes — detection systems that react to novelty rather than persistence — would be a genuinely nasty design gap if it holds up under broader scrutiny. The commit-cycling technique is elegant in a deeply annoying way, exploiting the assumption that anything old enough to have survived automated review must be clean. If that assumption is baked into GitHub's tooling, then longevity becomes camouflage, which is roughly as backwards as a screen door on a submarine.

The 10,000-repository figure should be treated as a working estimate from a motivated solo researcher, not a certified count from an auditing body. The payload's existence is corroborated; the scale is not. That said, even if the real number turns out to be a fraction of 10,000, the documented pattern of repeated, multi-campaign GitHub abuse across Stargazers Ghost Network, GitVenom, Banana Squad, Webrat, Megalodon, and Miasma suggests the platform has a structural attractiveness to malware operators that individual takedowns are not resolving. Developers who clone unfamiliar repositories — particularly ones surfacing in search results for niche queries — might want to be as suspicious as a coonhound that just smelled something it can't quite place.

Who is doing the hollering

These links show where the chatter came from. A link is attribution, not our endorsement or independent confirmation.

Revision record

Last checked Jun 19, 2026, 9:08 AM EDT. Talk Around Town: The 10,000-repository count comes from a single researcher's automated script and has not been independently verified at full scale. The identity of the threat actor is unknown. GitHub has not publicly confirmed the findings or stated whether removals are underway.