Safeguard
Software Supply Chain Security

GitHub repo confusion and malware repositories

Fake GitHub repos with forged stars and AI-written READMEs are stealing crypto and credentials. Here's how repo confusion attacks actually work.

Nayan Dey
Security Researcher
7 min read

In February 2025, Kaspersky researchers unpacked a campaign called GitVenom: hundreds of GitHub repositories posing as game cheats, Instagram automation bots, and Bitcoin trading tools, each stuffed with AI-generated READMEs, inflated commit histories, and topic tags designed to rank in GitHub search. The campaign had run for at least two years. One of the attacker-controlled Bitcoin wallets Kaspersky traced had received 5 BTC — worth roughly $456,600 at the time it was discovered. None of the victims downloaded a package from npm or PyPI. They cloned a repository that looked, at a glance, like any other open-source project.

This is repo confusion: attackers exploit the fact that developers trust GitHub's URL bar the way they trust a bank's. With over 518 million repositories now hosted on the platform (GitHub Octoverse, 2024), and no centralized vetting of what a repo actually contains, a convincingly named clone with fake stars is often all it takes to get malicious code onto a developer's machine — and from there, into a build pipeline.

What Is GitHub Repo Confusion?

GitHub repo confusion is an attack where a threat actor creates a repository designed to be mistaken for a legitimate, trusted project — through a similar name, a cloned README, forged commit history, or purchased/faked social proof like stars and forks — in order to get developers to clone, fork, or depend on malicious code. It's the repository-level analog of package typosquatting (like crossenv mimicking cross-env on npm in 2017), but it operates one layer up the supply chain: instead of tricking pip install or npm install, it tricks a human into running git clone, opening a project in an IDE, or copy-pasting a "quick start" command from a README. Because the entry point is a URL rather than a registry lookup, standard package-manager typosquat defenses — name-similarity scanners on npm/PyPI — don't catch it. The malicious payload usually lives in a build script, a postinstall hook, an obfuscated dependency, or a binary hidden in an assets/ folder that the README instructs you to run directly.

How Did the GitVenom Campaign Use Fake Repos to Steal Cryptocurrency?

GitVenom used AI-generated documentation and manipulated commit metadata to make throwaway repositories look like mature, active projects, then buried a Node.js backdoor and an AutoIt-compiled trojan inside seemingly ordinary automation scripts. Kaspersky identified repositories targeting Python, JavaScript, and C developers with projects like Telegram bot managers and Valorant cheat tools. The payload chain typically installed a clipboard hijacker that swapped copied cryptocurrency wallet addresses for attacker-controlled ones, alongside a remote-access trojan for persistent control. Victims were concentrated in Russia, Brazil, and Turkey, but the technique — plausible project, fake polish, real backdoor — isn't geography-specific, and Kaspersky noted the campaign infrastructure had been active since at least 2023 without drawing sustained attention.

What Is the Stargazers Ghost Network and How Does It Fake Credibility?

The Stargazers Ghost Network is a "Distribution-as-a-Service" operation, documented by Checkmarx in July 2024, that rents out a coordinated fleet of over 3,000 fake GitHub accounts to star, fork, and watch malicious repositories so they appear popular and trustworthy. Checkmarx tracked more than 1,500 repositories tied to the network, distributing commodity malware including RedLine Stealer, Lumma Stealer, and RisePro through repos disguised as game cracks, cracked software loaders, and cryptocurrency tools. The business model is the notable part: the ghost accounts themselves aren't the payload delivery mechanism — they're sold as infrastructure-for-hire to other criminal groups, who point their own malicious repos at the network to buy instant, fabricated credibility. A repo with 400 stars and a dozen forks clears the mental bar most developers use to judge "is this legit" in under two seconds, which is exactly the bar this network is built to clear.

How Does Lazarus Group Use Fake Coding-Test Repos to Target Developers?

Lazarus Group, North Korea's state-sponsored threat actor, runs a campaign — tracked by Palo Alto Unit 42 as "Contagious Interview" since at least November 2023 — that poses as recruiters to lure software developers into cloning a private GitHub repository framed as a take-home coding assessment. The repos are named to look like ordinary technical exercises (project names such as coin-toss games or video-conferencing utilities have been documented), but a dependency or setup script quietly installs backdoors like BeaverTail and InvisibleFerret, which harvest browser credentials and cryptocurrency wallet data. The targeting skews heavily toward developers in the crypto and Web3 industry, and the social engineering is patient: fake LinkedIn recruiter accounts, real-sounding job postings, and a multi-step "interview" process before the malicious repo is ever shared. It's a deliberate inversion of the usual threat model — the victim isn't tricked by a search result, they're personally invited to clone the malicious code by someone posing as a hiring manager.

Why Do Cloned and Typosquatted Repos Still Fool Experienced Developers?

Cloned and typosquatted repos fool experienced developers because the trust signals developers actually rely on — name similarity, star count, commit frequency, README quality — are all trivially forgeable at zero marginal cost. A repo named stable-diffusion-webui-forge or discord.js-selfbot-v14 reads as a plausible fork or variant rather than an obvious fake, and GitHub's own search and topic-tagging system can be gamed the same way SEO is gamed on the open web, which is precisely how GitVenom-style repos surface near the top of results for terms like "roblox exploit 2025" or "free crypto bot." Large language models have also lowered the cost of producing a convincing README, contribution history, and even fake GitHub Issues threads discussing (fabricated) bug fixes — Kaspersky specifically flagged AI-generated documentation as a GitVenom hallmark. None of this requires compromising a real maintainer account; it's cheaper to build a new, disposable fake than to steal an established one.

How Can Organizations Detect Malicious Repositories Before They Reach Production?

Organizations can catch malicious repositories before they reach production by treating every new dependency source — not just registry packages — as an untrusted input that gets scanned before it's cloned into a CI runner or a developer's laptop. That means checking repo provenance and account age against known ghost-network patterns (accounts created in clusters, star velocity that doesn't match commit velocity), scanning install/build scripts and postinstall hooks for network calls or obfuscated payloads rather than trusting the README, and applying the same scrutiny to a "coding assessment" repo shared over LinkedIn as you would to an unsolicited email attachment. Static name-matching against your organization's approved dependency list catches typosquats; it does nothing for a repo that isn't pretending to be a specific project, which is why behavioral scanning of what a repo's scripts actually do at install and build time matters more than what its README claims.

How Safeguard Helps

Safeguard's Griffin AI engine analyzes newly introduced repositories and dependencies for the same behavioral red flags seen in GitVenom and Stargazers Ghost Network cases — obfuscated install scripts, unexpected outbound network calls, and clipboard or credential-access patterns — before that code ever runs in a build. Reachability analysis then determines whether a flagged package or script is actually exercised by your application, so security teams triage real exposure instead of chasing every match in a scan. Safeguard's SBOM generation and ingest give you a durable record of exactly which repositories and third-party sources fed into a given build, which matters when a repo used months ago turns out to belong to a network like Checkmarx's ghost accounts. And where a fix is available — pinning to a verified fork, swapping a compromised dependency, removing a malicious script reference — Safeguard opens an auto-fix pull request directly against the affected branch, so remediation doesn't wait on a manual review cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.