Coding with Lewis

GitHub's trending page is being exploited by attackers who create repositories with legitimate-sounding names and purchase fake stars to lure developers into downloading malware. Researchers built Star Scout, which scanned six years of GitHub metadata and identified over 6 million suspicious fake stars by detecting ghost accounts and coordinated starring clusters. One group called Banana Squad published nearly 70 repos mimicking real Python security tools, hiding malicious code by padding it with hundreds of blank spaces to push it off-screen. A separate campaign compromised a single GitHub Action and put over 23,000 repositories at risk. The open source ecosystem's trust model is being systematically exploited at scale.

GitHub has a malware problem

I’m safe, I never look at GitHub’s trending page.

Some would say, since M$ took over github it has become malware

I’m really surprised how threats are literally everywhere.

Because you don’t look at the trending page doesn’t mean the repos you pull are safe.
A recent example is the well-known NPM React dependency Axios malware (see this post) when that broadly used NPM repo got a fraudulent version pushed by an attacker, contaminating millions of users by simple npm run install / update updating their dependencies, or rebuilding from scratch.
That’s why most professionals would put a proxy between the public repo and their final dev platforms, which runs security checks before tagging the version as safe.
Another widely used solution, although not just used for its security aspect, is defining the specific versions in your dependencies managers’ files (package.json, pom.xml, build.gradle, pyproject.toml, etc…).

That’s very shocking news! Hope all are will be safe.