Security News > 2022 > August > GitHub blighted by “researcher” who created thousands of malicious projects
Just over a year ago, we wrote about a "Cybersecurity researcher" who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI. This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.
A GitHub source code search that Lacy carried out in good faith led him to a legitimate-looking project.
As Lacy explained, "Thousands of fake infected projects [were] on GitHub, impersonating real projects. All of these were created in the last".
Since the commit used a real gh user's email, the result is thousands of fake infected projects are on gh impersonating real projects.
The attacker's commands run with the same access privileges as the now-infected program incorporating the poisoned project.
If you openly leech other people's trustworthy code and reupload it as if it were a legitimate project after deliberately infecting it with data stealing malware and remote code execution backdoors, don't expect anyone to buy your excuses.