Ghost-Repos on Github | 中文
I was originally analyzing GitHub repositories, trying to find those with the fastest star growth in the last two days, but I unexpectedly discovered a large number of "ghost repositories."
These repositories were created by different accounts, but they have very similar creation times and total star counts. The content is also essentially identical. They are disguised as certain toolkits, inducing users to download a certain exe file, but there is not a single line of code.
Such repositories, within just a few hours of creation, have almost 200 stars, which is clearly abnormal. Based on past experience, they will be deleted after existing for a while.
Therefore, I have archived these pages on GhostArvhice, so even if the attackers delete the repository and run away, the original appearance of these repositories can still be seen.
https://ghostarchive.org/archive/V3FII
https://ghostarchive.org/archive/nJOOB
https://ghostarchive.org/archive/dnNlL
https://ghostarchive.org/archive/XMFp8
https://ghostarchive.org/archive/RDiNl
https://ghostarchive.org/archive/Twh9s
https://ghostarchive.org/archive/fagjw
https://ghostarchive.org/archive/yWDRT
https://ghostarchive.org/archive/u9JBe
https://ghostarchive.org/archive/Ns3vZ
The code for the "ghost repositories" is also open source, so everyone can verify it on their own.
https://github.com/chmod777john/github-hunter/
Actually, the original intention of the project was to find those projects that have a short creation time but a rapid increase in stars in a short period. These projects can be considered as typical early-stage excellent projects that are bound to become very popular in the future.
After digging up these projects, I would write a piece of text, upload it to the blockchain, as a "prophecy". In the future, if the projects I predicted become very popular, everyone will know that "this guy has a good eye."
Unexpectedly, I also dug up these ghost repositories. It's really a dark forest, and for the first time, I truly feel that someone is engaging in these social engineering activities on GitHub.
But the situation is still good now, as these repositories are basically all in the same style, indicating that there is essentially only one organization doing this kind of thing.
All the following pages are backed up on GhostArchive.
I decided to find the real culprit. First, I will check who starred this repository.
Visit https://github.com/ezzy-aja/Valorant-H4ck/stargazers?page=1 (backup https://ghostarchive.org/archive/aqOPS )
and
https://github.com/Thang2k7/Xbox-Game-Pass-Activator-Free-2024/stargazers (backup https://ghostarchive.org/archive/28kJL)
Many stargazers are repeated. Most of the accounts have no trace, no commit history. But after searching, I finally found an account that looks like it belongs to a real person.
https://github.com/G4tito?tab=stars (backup https://ghostarchive.org/archive/UESF2)
You can see that he has starred many of these fraudulent repositories.
https://github.com/G4tito/Simple-WaBot (backup https://ghostarchive.org/archive/ozlFg)
Moreover, he has his own real repository, indicating that this is not a zombie account, but rather the main account of the fraudster (or one of his accomplices).
However, this alone is not enough to identify him in the real world. He also has a follower who is a big shot and has a YouTube account in the real world.
https://github.com/G4tito?tab=followers (backup https://ghostarchive.org/archive/J4ckv )
https://github.com/elrebelde21 (backup https://ghostarchive.org/archive/tiCSv )
My ETH wallet address: 0xd4fC8280410376701849a58c0F2F7Be7BD4A8C9e
Sui wallet address: 0xf737052e6963d2cccd753aa4f732ecf807abd48b3a523bf6bf291bffdff2b075
After uploaded to arweave, there should also be an arweave wallet address.
There is also an early proof here. https://viewblock.io/arweave/tx/0ekQ1xG6AFXIf0xCZB1ZVU4D8N85-OuQ7nH46QFFy9g