The Repos Look Real. They Are Not.
Security researchers have identified more than 10,000 fake GitHub repositories designed to distribute crypto-stealing trojans. The repositories are not targeting human developers who read code before running it. They are targeting AI coding agents — tools like Copilot, Claude Code, Cursor, and Devin that clone repositories, install dependencies, and execute code as part of their workflow. The attack surface is not human judgment. It is automated trust.
The fake repositories mimic legitimate projects with functional README files, realistic commit histories, and plausible directory structures. Over 300 confirmed malicious delivery packages have been identified within the network. Each repository appears to offer utility — data processing tools, API wrappers, configuration helpers — while embedding trojan payloads in installation scripts and dependency chains.
Search Ranking as a Weapon
The repositories are updated every few hours with new commits. Old commits are deleted and replaced. This cadence serves a specific purpose: maintaining GitHub search ranking above the legitimate repositories they impersonate. When an AI agent searches for a library by name, the fake version appears first. The agent clones it, runs the install, and the payload executes.
Directory names within the repositories use obscure biological and Latin terminology — a signature that researchers attribute to AI-generated content. The naming patterns are consistent enough across the 10,000 repositories to suggest a single automated pipeline generating and maintaining the entire network. The operation is industrialized, not opportunistic.
AI Agents Are the New Attack Surface
The shift from human developers to AI coding agents changes the security calculus. A human developer might notice an unfamiliar repository, check the star count, read the commit history, or scan the code before executing. An AI agent follows instructions: find a library, clone it, install it, use it. The agent's evaluation of a repository is based on pattern matching — does the README describe the right functionality, does the code structure look correct, does the package install cleanly.
Cloudflare's 2026 data shows that 57.5% of web traffic is now generated by bots. AI coding agents represent a growing share of that automated traffic — and they interact with code repositories in ways that create execution opportunities for malicious payloads. The trojanized repository network exploits the gap between a repository that looks legitimate and a repository that is legitimate.
The Supply Chain Has Moved
Traditional supply chain attacks target package registries — npm, PyPI, RubyGems. The trojanized repository campaign targets an earlier stage: the point where code is discovered and selected. Package registries have implemented malware scanning, signature verification, and provenance tracking. GitHub repositories have none of these protections at the discovery layer. A search result is not a trust signal.
For organizations deploying AI coding agents in production workflows, this campaign surfaces a concrete risk: the agent's ability to find and use code is also its vulnerability. Repository provenance verification, allowlists for trusted sources, and sandboxed execution environments are no longer optional security measures. They are the minimum viable defense against a supply chain that now includes AI agents as both targets and vectors.


