How to bulk report malicious repositories?

[Reelix]

🏷️ Discussion Type

Question

Body

Greetings,

Apologies if this is in the incorrect category - There's no nice category for this :)

Over the past several months I've been reporting Github Repos / Users involved in a fake job interview scam that results in users environment variables being stolen, and their device being compromised.

Sample write-ups of this scam by various people can be found at the following:

https://github.com/bryanchriswhite/dev-trap-dossiers/tree/main/incidents/2026-05-18-realfraction
https://github.com/oliver-zehentleitner/technopathy/blob/main/cmok19cfw004i2di49xkiaefs.md
https://github.com/byte-pipe/tech-news/blob/master/data/2026-05-05/content/devto-a-linkedin-recruiter-sent-me-malware-disguised-as.md
https://github.com/S0AndS0/S0AndS0.github.io/blob/master/misc/_scammers/2026-04-10_Barbosa-Renato-of-World-Cup-Fantasy-Project.md
https://github.com/bryanchriswhite/dev-trap-dossiers
https://dev.to/vladimirnovick/a-linkedin-recruiter-sent-me-malware-disguised-as-a-pre-interview-code-review-2k3j
https://www.youtube.com/watch?v=VA7PsdI0zs8

---

The problem with this is that every time I report them, and one eventually gets taken down, they generally just create a new repo.

For example, here is a search with around 20 of them (Along with multiple writeups on the scam being discussed)

WARNING - DO NOT CLONE ANY OF THESE

https://github.com/search?q=%22axios.post%28api%2C+%7B+...process.env+%7D%22&type=code

They can relatively easily be verified by finding where the setApiKey functionality is called that base64 decodes a Vercel-hosted URL that the data is exfiltrated to (I have also been getting them shut down Vercels side, but the same scenario happens there - One gets shut down, they create a new one 5 minutes later, and update the Github repo with the new link).

The main problem is that Github lacks a bulk reporting feature to report these en-masse (Reporting only has a single link), and reporting them individually goes nowhere as demonstrated above - They can create them faster than I can get them shut down. I have attempted to contact support about this on several occasions, but have received on reply.

If anyone has a nice way to bulk report repositories, I would be thankful for any information.

[Soutikkk]

You can also report the infrastructure providers simultaneously.

As you mentioned, Vercel takedowns help temporarily, but domain registrars and hosting providers may sometimes respond faster when provided with campaign-level evidence instead of isolated repository reports.

The current abuse reporting flow is largely designed around individual reports, which becomes extremely inefficient for campaigns like this where malicious actors can continuously recreate repositories.

But if i am not wrong, Unfortunately, GitHub does not currently provide a public bulk-reporting feature for repositories or users

[Reelix]

The code is hosted on Github (Which is then cloned and run by an unknowing job candidate), and the data is exfiltrated to a Vercel domain - There is no other registrar or hosting provider known in the process.

Take https://github.com/Ritual-Product/MetaPlay for example.

https://github.com/Ritual-Product/MetaPlay/blob/main/controllers/auth.js#L70

There's the line where it exfiltrates the users data.

https://github.com/Ritual-Product/MetaPlay/blob/main/socket/index.js#L73

There's the location the C2 is loaded from. That base64 decodes to https://gamboracle.vercel.app/api which is currently live.

Who am I meant to report to aside from Vercel and Github? Even when I do, they sometimes take the domain / repo down in a week (If at all), and then the malicious user would just register a new one 5 minutes later and updates the Repo.

Vercel COULD figure out the commonality between the dozens of malicious domains as they're almost certainly being registered by the same user, and Github COULD do the same, but at the time they both refuse to do so, so I'm stuck reporting one by one, requiring pages of detailed information and screenshots along the way, only for my effort to be negated in seconds on the odd occasion should someone take action.

[alive-xd]

I've been seeing the same campaign. The actors appear to recreate repositories and accounts faster than individual reports can be processed, which makes one-by-one reporting difficult to scale.

A bulk reporting workflow for related repositories, accounts, and infrastructure would be useful, especially when there is clear evidence that multiple repositories belong to the same operation. Even a way to submit a list of repository URLs with supporting indicators and documentation would significantly improve response time for ongoing abuse campaigns.

For now, I've mostly been documenting indicators, repository patterns, domains, and infrastructure links to help correlate new repositories as they appear.

[Reelix]

In my original post I included a search

https://github.com/search?q=%22axios.post%28api%2C+%7B+...process.env+%7D%22&type=code

That search currently returns 40 results.

Of those 40 results, aside from the write ups detailing the malicious campaign, you'll struggle to find a single non-malicious repository.

When I started, there were about 25, and I've gotten about a dozen shut down along the way - Now there are far more. They're simply easier to create than get removed, and Github and Vercel blocks you every step of the way.

They're effortless to find - The problem is that the people who are able to do something about them in bulk (Github as the host / Vercel as the C2) refuse to take pro-active action, so there they remain.

I've attempted to create issues warning people, but the malicious actors delete the issues (So they don't even appear under closed), and often disable issues entirely. I've attempted to create PR's warning people, but they mark them as closed, and block me from doing so.

It seems that I'm fighting against a system which is refusing to help, whilst supporting the malicious actors along the way - And that gets frustrating.