Hello again,
I’ve built a funny little website that lists potential malicious or at the very least suspicious GitHub repositories. You can check it out under the following URL:
Although I’m not very active in the threat intel / malware analysis / “blue team” side of things, I enjoy dabbling in that general area at times. My main motivation when doing so is pissing off random script kiddies and poking fun at their unoriginal creations and getting them flagged on VT, and in this particular case GitHub.
To give you some insight into how my pet project currently works, let me draw you a picture.
I use GitHub actions to periodically fetch new repository metadata via their repository search REST API and commit the obtained data back into the repository that performs the action.
Over at ghmlwr.0dave.ch, I have a cron job configured which periodically pulls from the data source. The newly obtained metadata is then filtered to find new suspects.
While filtering I ask simple questions to determine if a repository is suspect. For instance, if the repository had a sudden surge of stargazers or forks within just a few minutes, then the repository may have been boosted by bot accounts to make the repository more visible to potential victims.
Once the raw data is filtered, I re-generate the website (a single index.html file).
Remember: if you’re ever bored, feel free to dig around and report some repositories :)
’til next time.