Fourth-Wave GitHub Issue Abuse Report
Last updated: 2026-06-19 Asia/Shanghai
This report summarizes GitHub issue-abuse campaigns observed by Niubi Guard's hosted protection data and public GitHub Issue records. The public report uses aggregated statistics and redacted samples; complete evidence is retained in the hosted Guard audit trail for authorized maintainers. It is not an official GitHub determination.
Executive Summary
Niubi Guard has now recorded four coordinated abuse waves targeting open-source maintainers through GitHub Issues and comments. The campaigns repeatedly use fake-star accusations, "blank account" or "zombie stargazer" narratives, and threat-style wording about GitHub reports, repository shutdown, traffic removal, or Stargazer cleanup.
The fourth wave started on 2026-06-18 UTC and was confirmed by Guard as github-issue-abuse-wave-2026-06-18-round-4. It involved 7 high-confidence suspicious accounts, 658 abnormal issues, and 322 affected repositories in about 2.5 hours.
Known Waves
| Wave |
Window (UTC) |
Accounts |
Abnormal issues |
Affected repositories |
Risk |
github-abuse-wave-2026-05-08 |
2026-05-07 20:35:50 to 20:47:37 |
5 |
1,584 |
161 |
High |
github-issue-abuse-wave-2026-05-31 |
2026-05-26 09:46:51 to 2026-05-31 15:47:32 |
6 |
1,127 |
525 |
Critical |
github-issue-attack-2026-05-31 |
2026-05-31 15:38:22 to 16:21:30 |
21 |
38,022 detections |
9 |
High |
github-issue-abuse-wave-2026-06-18-round-4 |
2026-06-18 14:36:08 to 17:03:10 |
7 |
658 |
322 |
Critical |
The 2026-05-31 data contains two campaign records: one conservative cross-repository campaign and one high-volume Guard detection campaign. The latter includes repeated detections in protected repositories, so its count should be read as Guard detections rather than unique public issues.
Fourth Wave Details
Guard campaign: github-issue-abuse-wave-2026-06-18-round-4
Confirmed pattern:
- Fourth coordinated GitHub issue-abuse wave.
- April 2026 blank-account cluster.
- High-frequency cross-repository posting within about 2.5 hours.
- Repeated fake-star, blank-account, Stargazer-list and traffic-removal wording.
- Threat-style GitHub report and repository-shutdown narrative.
High-confidence account cluster:
| Account |
Role |
Registered at (UTC) |
Public repos |
Followers |
Following |
Issues |
Repositories |
acct-4w-seed-01 |
seed |
2026-04-10 19:11:28 |
0 |
0 |
0 |
151 |
94 |
acct-4w-seed-02 |
seed |
2026-04-09 13:07:42 |
0 |
0 |
0 |
141 |
45 |
acct-4w-seed-03 |
seed |
2026-04-09 17:12:21 |
0 |
0 |
0 |
120 |
98 |
acct-4w-associated-01 |
associated |
2026-04-09 12:54:58 |
0 |
0 |
0 |
70 |
51 |
acct-4w-associated-02 |
associated |
2026-04-09 17:18:58 |
0 |
0 |
0 |
65 |
50 |
acct-4w-associated-03 |
associated |
2026-04-09 19:21:48 |
0 |
0 |
0 |
64 |
46 |
acct-4w-associated-04 |
associated |
2026-04-09 19:06:14 |
0 |
0 |
0 |
47 |
34 |
Operator Guidance
Recommended response for maintainers:
- Keep automatic destructive actions disabled until the repository owner is comfortable with the false-positive risk.
- Enable keyword detection, deny-list checks, and cold-start account signals first.
- Use review mode for LLM moderation before enabling issue deletion, issue locking, or user blocking.
- Record sample URLs and action logs in issues so future maintainers can audit why a pattern was added.
- Avoid naming normal users from low-confidence searches. Only add accounts that match repeated behavior, public metadata signals, and cross-repository campaign evidence.
Fourth-Wave GitHub Issue Abuse Report
Last updated: 2026-06-19 Asia/Shanghai
This report summarizes GitHub issue-abuse campaigns observed by Niubi Guard's hosted protection data and public GitHub Issue records. The public report uses aggregated statistics and redacted samples; complete evidence is retained in the hosted Guard audit trail for authorized maintainers. It is not an official GitHub determination.
Executive Summary
Niubi Guard has now recorded four coordinated abuse waves targeting open-source maintainers through GitHub Issues and comments. The campaigns repeatedly use fake-star accusations, "blank account" or "zombie stargazer" narratives, and threat-style wording about GitHub reports, repository shutdown, traffic removal, or Stargazer cleanup.
The fourth wave started on 2026-06-18 UTC and was confirmed by Guard as
github-issue-abuse-wave-2026-06-18-round-4. It involved 7 high-confidence suspicious accounts, 658 abnormal issues, and 322 affected repositories in about 2.5 hours.Known Waves
github-abuse-wave-2026-05-08github-issue-abuse-wave-2026-05-31github-issue-attack-2026-05-31github-issue-abuse-wave-2026-06-18-round-4The 2026-05-31 data contains two campaign records: one conservative cross-repository campaign and one high-volume Guard detection campaign. The latter includes repeated detections in protected repositories, so its count should be read as Guard detections rather than unique public issues.
Fourth Wave Details
Guard campaign:
github-issue-abuse-wave-2026-06-18-round-4Confirmed pattern:
High-confidence account cluster:
acct-4w-seed-01acct-4w-seed-02acct-4w-seed-03acct-4w-associated-01acct-4w-associated-02acct-4w-associated-03acct-4w-associated-04Operator Guidance
Recommended response for maintainers: