10 interesting stories served every morning and every evening.
© Valve Corporation. All rights reserved. All trademarks are property of their respective owners in the US and other countries. Privacy Policy | Legal | Accessibility | Steam Subscriber Agreement | Refunds | Cookies
© Valve Corporation. All rights reserved. All trademarks are property of their respective owners in the US and other countries. Privacy Policy | Legal | Accessibility | Steam Subscriber Agreement | Refunds | Cookies
Maintained by Epic Games, Lore is designed for unprecedented scalability of both data and teams. It’s optimized for projects—including games and entertainment—that combine code with large binary assets, and caters for the needs of developers and artists alike.
deno desktop turns a Deno project (anything from a single TypeScript file to a Next.js app) into a self-contained desktop application. The output is a redistributable binary that bundles your code, the Deno runtime, and a web rendering engine into one bundle per platform.
Coming in Deno 2.9
deno desktop ships in Deno v2.9.0 and is not in a stable release yet. To try it now, run deno upgrade canary to install the canary build. The command, configuration keys, and TypeScript APIs may still change before the feature is stable.
Why deno desktop Jump to heading
Web technology is the most widely-known UI toolkit in the world. Desktop apps built on web stacks (Electron, Tauri, Electrobun) take advantage of that, but each has tradeoffs you have to live with: huge binaries, missing platform support, no JavaScript ecosystem, no built-in update story, no framework integration.
deno desktop is opinionated about those tradeoffs:
Small by default, full Node compatibility. The default WebView backend uses the operating system’s own webview for small binaries, and you still have the entire npm ecosystem available through Deno’s Node compat layer. Opt into the bundled Chromium (CEF) backend when you need identical rendering across macOS, Windows, and Linux.
Framework auto-detection. Point deno desktop at a Next.js, Astro, Fresh, Remix, Nuxt, SvelteKit, SolidStart, TanStack Start, or Vite SSR project and it runs: the production server in release mode, the dev server with hot reload under –hmr. No code changes are required to take an existing web project to the desktop.
In-process bindings instead of IPC. Backend and UI communication goes through in-process channels, not socket-based IPC. Values are still encoded as they cross the call boundary, but there is no cross-process round-trip between your Deno code and the webview.
Cross-compile from one machine. The same machine can build for macOS, Windows, and Linux. Backends are downloaded as needed, not built locally.
Built-in binary-diff auto-update. Ship a single latest.json manifest and bsdiff patches; the runtime polls, applies, and rolls back automatically on failed launches.
Hello, desktop Jump to heading
Create a one-file desktop app:
main.ts
Deno.serve(() => new Response(“<h1>Hello, desktop</h1>”, { headers: { “content-type”: “text/html” }, }) );
>_
deno desktop main.ts
The compiled binary opens a window pointed at a local HTTP server bound to your Deno.serve() handler. Run it directly:
>_
./main # macOS / Linux .\main.exe # Windows
Deno.serve() automatically binds to the address the webview navigates to, so you do not need to pass a port or hostname. See HTTP serving for details.
What’s in this section Jump to heading
Configuration: the desktop block in deno.json.
Backends: CEF, webview, raw; how to choose.
HTTP serving: Deno.serve() integration and the serving model.
Frameworks: Next.js, Astro, Fresh, Remix, Nuxt, SvelteKit, and others.
Windows: Deno.BrowserWindow lifecycle, multiple windows, events.
Bindings: calling Deno code from the webview via bindings.<name>().
Menus: application and context menus.
Tray and dock: system status icons and the macOS dock.
Dialogs: prompt(), alert(), confirm() as native popups.
Notifications: native OS notifications via the Web Notification API.
Hot module replacement: –hmr for framework and non-framework apps.
DevTools: unified DevTools attached to both the Deno runtime and the webview.
Auto-update: Deno.autoUpdate(), manifests, bsdiff, rollback.
Error reporting: capturing uncaught exceptions and panics.
Distribution: cross-compilation, output formats, installers.
Comparison: how deno desktop relates to Electron, Tauri, Electrobun, Dioxus.
deno desktop CLI reference: the command, its flags, and the deno.json desktop schema.
Hyundai’s move to buy SoftBank’s remaining 9.65% stake in Boston Dynamics for $325 million is not just cleanup from an old deal. It gives Hyundai full control of one of the few humanoid robotics companies with real factory work in sight.
Hyundai Motor Group is expected to approve the purchase on June 22, closing out SoftBank’s last piece of Boston Dynamics and turning the Waltham, Massachusetts robotics company into a wholly owned Hyundai business. The price is $325 million for the remaining stake, according to the deal terms, and it follows the put option SoftBank retained when Hyundai bought control of Boston Dynamics in 2021.
You should read that as a signal, not a footnote. Hyundai paid about $880 million for an 80% stake in Boston Dynamics in the 2021 transaction, valuing the company at roughly $1.1 billion at the time. SoftBank had bought Boston Dynamics from Alphabet in 2017, after Google had acquired the robotics lab in 2013. It was a strange ownership path for a company whose robots became famous on YouTube long before they became obvious commercial products.
That part is changing. At CES in Las Vegas on January 5, 2026, Hyundai and Boston Dynamics showed the electric Atlas humanoid robot in public, with the Associated Press reporting that the life-sized robot stood up, walked around the stage and was remotely piloted for the demonstration. The useful detail was not the stagecraft. It was the deployment plan. A production version of Atlas is expected to begin work at Hyundai’s electric vehicle plant near Savannah, Georgia, by 2028.
Boston Dynamics has spent years making robots that looked too good to be businesses. Spot, its four-legged robot, became the first obvious commercial success. Atlas is the harder test because humanoid robots have to justify themselves in places where traditional automation already exists. Business Insider reported in January that Boston Dynamics CEO Robert Playter said Atlas would need to learn new factory tasks in a day or two and reach 99.9% reliability before it could be truly useful on the floor. That’s a high bar. It’s also the right one.
Hyundai’s advantage is that it doesn’t have to imagine the first customer. It owns the factories, the vehicle programs and now the whole robotics company. The Verge reported from CES that Hyundai plans to start Atlas with parts sequencing at its Metaplant in Georgia, then move toward heavier and more complex operations by 2030. If you’re building robots for the physical world, that kind of controlled deployment matters more than a perfect demo video.
The supply chain is part of the story too. Hyundai Mobis, the group’s components arm, has been tied to actuator production for Atlas, which keeps one of the robot’s most important hardware systems closer to Hyundai’s own industrial base. Frankly, that is the difference between treating robotics as a side bet and treating it as a manufacturing capability. A humanoid robot is only as useful as the parts, service network and production discipline behind it.
The field around Boston Dynamics is no longer sleepy. Tesla has shifted part of its Fremont factory story toward Optimus after ending Model S and Model X production, a move reported by Axios and The Verge earlier this year. Figure AI has pushed humanoid robots into BMW factory trials. Unitree has made lower-cost humanoids impossible to ignore. None of those companies has Boston Dynamics’ long record in locomotion, but they don’t need to. They need to make robots cheap enough, useful enough and reliable enough to win specific jobs.
That is why full ownership matters for Hyundai. Boston Dynamics doesn’t have to beat every humanoid rival in every market. It has to make Atlas work inside Hyundai plants first, where the tasks are known, the layout is controlled and the payoff can be measured in production uptime rather than conference applause. If it works there, Hyundai gets a robotics platform and a proof point at the same time.
SoftBank has moved on to a bigger AI bet
For Masayoshi Son, the Boston Dynamics exit looks small beside SoftBank’s current AI infrastructure campaign. The Wall Street Journal reported in April that SoftBank is forming Roze AI, a new venture meant to use artificial intelligence and robotics to build physical infrastructure, including data centers. Tom’s Hardware, citing the Financial Times, reported that Son is aiming for a $100 billion valuation for Roze and a public listing as soon as this year.
That puts the $325 million Boston Dynamics proceeds in perspective. SoftBank is not walking away from robotics as an idea. It is moving toward robots as part of the AI buildout, tied to data centers, energy, land and construction. Boston Dynamics is a product company with hard engineering problems and a slower revenue curve. Son now wants the infrastructure layer.
Hyundai wants the robot on the factory floor. That is a narrower bet, but it is easier to judge. By 2028, Atlas is supposed to be doing real work in Georgia, not just walking across a stage in Las Vegas. If Hyundai can turn that into repeatable manufacturing value, the SoftBank exit will look less like a tidy cleanup and more like the moment Hyundai stopped borrowing a robotics future and decided to own it outright.
Also read: Texas just rewrote the rules for connecting AI data centers to its power grid • Elastic’s $85 million bet on DeductiveAI is a signal that AI-native ops tooling is now acquisition currency • The U.S. government just told ASML one of its most restricted machines may be inside China
Today’s links
Spying on kids to save kids from spying is very, very stupid: First they came for the VPNs.
Hey look at this: Delights to delectate.
Object permanence: RIP Darwin’s tortoise; ISPs conspire to create copyright jail; Waxy v fair use; Broken Windows is BS; Google is a machine-learning company; “Writing the Other”; Canadian wealth-tax.
Upcoming appearances: Toronto, NYC, Philadelphia, Chicago, London, Edinburgh, Sydney, Melbourne, Brighton, London, South Bend.
Recent appearances: Where I’ve been.
Latest books: You keep readin’ em, I’ll keep writin’ ’em.
Upcoming books: Like I said, I’ll keep writin’ ’em.
Colophon: All the rest.
Spying on kids to save kids from spying is very, very stupid (permalink)
The literature on harms to kids from online platforms is complex and nuanced, rife with people citing small, ambiguous studies as iron-clad evidence that kids are being destroyed by the internet:
https://www.youtube.com/watch?v=Ype6c6DdHQY
It’s a weird coalition of anti-Big Tech campaigners (who are rightly angry at the platforms’ callous disregard for user welfare) and Heritage Foundation-backed culture warriors (who think that if their kids aren’t exposed to LGBTQ content they won’t come out as queer). While there’s plenty these groups disagree about, they share one consensus: there should be a “minimum age” for certain kinds of internet use.
The problem is, there’s no such thing as “age verification” for the internet. What we call “age verification” is actually mass surveillance, so invasive and pervasive that it makes the ad-tech industry’s commercial surveillance look like some kind of cypherpunk darknet pirate utopia:
https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers
“Age verification” means that everyone who does anything online will have to submit to fine-grained tracking and recording of all their online activities. This nightmare is the surveillance advertising industry’s fondest dream, a world where it’s literally illegal to avoid their tracking, all in the name of saving kids…from them!
So it’s not just a weird alliance of anti-Big Tech crusaders and the conspiratorial right that’s pushing for age verification — they are unwitting allies of the very tech industry they think they’re fighting. Those tech industry insiders are fully aware that an “age verification” mandate is really a way for the government to teach every child how to use a VPN. They’re also fully aware that the next move is to ban VPNs:
https://www.express.co.uk/news/uk/2217934/vpn-ban-table-july-labour
Tech bosses are the ones sitting on our shoulders saying, “Go ahead, swallow that fly — it’ll be fine. And if you do have to swallow a spider afterward, well, that’ll surely be the end of it”:
https://pluralistic.net/2026/05/19/shes-dead-of-course/#consensus-hallucination
Behind them is a long line of caliper-wielding grifters who claim they can use your phone’s camera to distinguish a child who is 17 years, 364 days old from an adult who’s just turned 18:
https://www.gov.uk/government/publications/facial-age-estimation
It’s beyond farce. After all, whatever harms you believe the internet is inflicting on kids — and there’s absolutely some kids who are being harmed by their internet use — those harms all start with surveillance. Your kids can’t be targeted by algorithms without the surveillance data that’s being used to target them. They can’t be funneled into pro-anorexia content or extreme misogyny forums without that funnel being primed by commercial spying.
Why do tech companies spy on your kids? The same reason your dog licks its balls: because they can, and no one stops them:
https://pluralistic.net/2026/03/10/ice-tech/#foreseeable-outcomes
America hasn’t updated its consumer privacy laws since 1988 (when Congress banned the disclosure of your VHS rentals). The EU has the GDPR, but it also has Ireland, the country where all GDPR cases against Big Tech go to die, because any tax haven inevitably becomes a crime haven:
https://pluralistic.net/2025/10/31/losing-the-crypto-wars/#surveillance-monopolism
Other countries have privacy laws to varying degrees, but are grossly outmatched by US tech giants, who have fused with the Trump regime, to the extent that Trump will impose penalties on your country if you attempt to regulate his tech companies — he’ll even have your top officials cut off from the internet in retaliation:
https://pluralistic.net/2026/04/04/digital-subjugation/#greenlands-next
Any attempt to save kids from online harms should start with saving kids from online surveillance, but that’s the opposite of what we’re doing today. After decades of failing to pass and enforce privacy controls for the internet, those same governments are breaking all land-speed records to pass “age verification” laws that make privacy illegal:
https://bsky.app/profile/rebeccawilliams.info/post/3moviqzdit22z
The fact that these bills have the firm backing of the tech industry’s most controlling, most spying companies tells you everything you need to know about them:
https://web.archive.org/web/20260315022337/https://tboteproject.com/
Kids are being harmed by online spying, and so are the rest of us. Whether you think that the algorithm made Grampy go Qanon or you’re suspicious that online surveillance data was used to deny you a loan, a job, or a lease, you should want privacy:
https://pluralistic.net/2023/12/06/privacy-first/#but-not-just-privacy
Online surveillance is being used to raise the prices you pay and lower the wages you’re offered:
https://pluralistic.net/2026/04/06/empiricism-washing/#veena-dubal
And the same data that’s being used to “verify age” today will be used by ICE tomorrow to figure out who to round up for a concentration camp:
https://www.wired.com/story/ice-asks-companies-about-ad-tech-and-big-data-tools/
You can’t protect kids from online surveillance by spying on them. You just can’t. Anyone who tells you otherwise is trying to get you to swallow a fly so they can sell you a spider, a bird, a cat, and an ICE chud in a gaiter, Oakleys and plate carrier (beneath which lurks a stick-and-poke Totenkopf tattoo).
Hey look at this (permalink)
AI doomerism is misplaced. Here’s what it will take to pop the bubble https://www.salon.com/2026/06/22/ai-doomerism-is-misplaced-heres-what-it-will-take-to-pop-the-bubble/
Visa and Mastercard: The Original Gangsters of Electronic Collusion https://www.thesling.org/visa-and-mastercard-the-original-gangsters-of-electronic-collusion/
Visa and Mastercard: The Original Gangsters of Electronic Collusion https://www.thesling.org/visa-and-mastercard-the-original-gangsters-of-electronic-collusion/
Has it happened yet? https://hasithappenedyet.org/
Has it happened yet? https://hasithappenedyet.org/
Platform-Controlled Search and Distortions in Attention Allocation https://tinbergen.nl/discussion-paper/6496/26 – 035-vii-platform-controlled-search-and-distortions-in-attention-allocation
Platform-Controlled Search and Distortions in Attention Allocation https://tinbergen.nl/discussion-paper/6496/26 – 035-vii-platform-controlled-search-and-distortions-in-attention-allocation
Object permanence (permalink)
#20yrsago Darwin’s tortoise dead at 176 https://web.archive.org/web/20060704143750/http://news.yahoo.com/s/afp/20060623/od_afp/australiaanimal_060623102146;_ylt=Ave_b4Ps2r9TGXqs5nZIVIoFO7gF;_ylu=X3oDMTA5bGVna3NhBHNlYwNzc3JlbA–zoo
#15yrsago Major US ISPs set to limit repeat infringers with throttling, limiting access to 200 websites, and copyright reeducation school https://web.archive.org/web/20111105225114/http://news.cnet.com/8301 – 31001_3 – 20073522-261/exclusive-top-isps-poised-to-adopt-graduated-response-to-piracy/
#15yrsago Why fair use doesn’t work unless you’ve got a huge war-chest for paying lawyers https://waxy.org/2011/06/kind_of_screwed/
#15yrsago Model net neutrality rule for municipalities https://web.archive.org/web/20110626114610/http://envisionseattle.org/2011/06/model-net-neutrality-ordinance-for-seattle.html
#15yrsago Campus hookups: college sex isn’t new, but hookups are different https://thesocietypages.org/socimages/2011/06/21/the-promise-and-perils-of-hook-up-culture/
#15yrsago A Brief History of the Corporation: understanding what an attention economy is and where it comes from https://ribbonfarm.com/2011/06/08/a-brief-history-of-the-corporation-1600-to-2100/
#15yrsago Eliza: what makes you think I’m a psychotherapeutic chatbot? https://www.filfre.net/2011/06/eliza-part-1/
#10yrsago Broken Windows policing is nonsense https://www.nyc.gov/assets/oignypd/downloads/pdf/Quality-of-Life-Report-2010 – 2015.pdf
#10yrsago How it feels to be under DDoS attack https://www.oreilly.com/radar/ddos-emotions/
#10yrsago 2016: the first presidential election in 50 years without Voting Rights Act protections https://www.rollingstone.com/politics/politics-news/welcome-to-the-first-presidential-election-since-voting-rights-act-gutted-179737/3/
#10yrsago Google is restructuring to put machine learning at the core of all it does https://web.archive.org/web/20180530051703/https://www.wired.com/2016/06/how-google-is-remaking-itself-as-a-machine-learning-first-company/
#10yrsago Misconfigured database exposes sensitive data for 154 million US voters https://dailydot.com/politics/154-million-voter-files-exposed-l2
#10yrsago To understand the Trump campaign, study real-estate developer hustle https://web.archive.org/web/20161028030522/https://storify.com/KC_EDM/trump-is-running-his-campaign-like-a-real-estate-d
#10yrsago Writing the Other: intensely practical advice for representing other cultures in fiction https://memex.craphound.com/2016/06/23/writing-the-other-intensely-practical-advice-for-representing-other-cultures-in-fiction/
#1yrago The case for a Canadian wealth tax https://pluralistic.net/2025/06/23/billionaires-eh/#galen-weston-is-a-rat
Upcoming appearances (permalink)
Toronto: The Sovereignty Debate (IAB Canada’s State of the Nation), Jun 23 https://iabcanada.com/state-of-the-nation-2026
Toronto: The Reverse Centaur’s Guide to Life After AI (Osler Records/Type Books), Jun 23 https://www.eventbrite.com/e/cory-doctorow-book-launch-and-talk-tickets-1991501299998
Toronto: The Reverse Centaur’s Guide to Life After AI (Osler Records/Type Books), Jun 23 https://www.eventbrite.com/e/cory-doctorow-book-launch-and-talk-tickets-1991501299998
NYC: The Reverse Centaur’s Guide to Life After AI with Jonathan Coulton (The Strand), Jun 24 https://www.strandbooks.com/cory-doctorow-the-reverse-centaur-s-guide-to-life-after-ai.html
NYC: The Reverse Centaur’s Guide to Life After AI with Jonathan Coulton (The Strand), Jun 24 https://www.strandbooks.com/cory-doctorow-the-reverse-centaur-s-guide-to-life-after-ai.html
Philadelphia: The Reverse Centaur’s Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25 https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Philadelphia: The Reverse Centaur’s Guide to Life After AI with David Williams (Fitler Club/Philadelphia Citizen), Jun 25 https://www.eventbrite.com/e/cory-doctorow-book-event-tickets-1990110326559
Chicago: The Reverse Centaur’s Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26 https://exileinbookville.com/events/50628
Chicago: The Reverse Centaur’s Guide to Life After AI with Rick Perlstein (Exile in Bookville), Jun 26 https://exileinbookville.com/events/50628
London: Idler Festival, Jul 11 https://www.idler.co.uk/festival/
London: Idler Festival, Jul 11 https://www.idler.co.uk/festival/
Edinburgh International Book Festival with Jimmy Wales, Aug 17 https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Edinburgh International Book Festival with Jimmy Wales, Aug 17 https://www.edbookfest.co.uk/events/the-front-list-cory-doctorow-and-jimmy-wales
Sydney: The Festival of Dangerous Ideas, Aug 23 – 24 https://festivalofdangerousideas.com/cory-doctorow/
Sydney: The Festival of Dangerous Ideas, Aug 23 – 24 https://festivalofdangerousideas.com/cory-doctorow/
Melbourne: Enshittification at the Wheeler Centre, Aug 25 https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Melbourne: Enshittification at the Wheeler Centre, Aug 25 https://www.wheelercentre.com/events-tickets/season-2026/cory-doctorow-enshittification
Brighton: The Reverse Centaur’s Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8 https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
Brighton: The Reverse Centaur’s Guide to Life After AI with Carole Cadwalladr (Brighton Dome), Sep 8 https://brightondome.org/whats-on/LSC-cory-doctorow-the-reverse-centaurs-guide-to-life-after-ai/
London: The Reverse Centaur’s Guide to Life After AI with Riley Quinn (Foyle’s Picadilly), Sep 9 https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
London: The Reverse Centaur’s Guide to Life After AI with Riley Quinn (Foyle’s Picadilly), Sep 9 https://www.foyles.co.uk/events/enshittification-cory-doctorow-riley-quinn
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6 https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/
South Bend: An Evening With Cory Doctorow (Notre Dame), Oct 6 https://franco.nd.edu/events/2026/10/06/an-evening-with-cory-doctorow/
Recent appearances (permalink)
How to Mess with Big Tech Oligarchs (Fighting Fascism) https://podcasts.apple.com/us/podcast/how-to-mess-with-big-tech-oligarchs-w-cory-doctorow/id1888647397?i=1000773711479
Reverse Centaur with Angie Coiro (Kepler’s Books) https://www.youtube.com/live/cWN6XBa73xA
Reverse Centaur with Angie Coiro (Kepler’s Books) https://www.youtube.com/live/cWN6XBa73xA
How to Think About AI Before It’s Too Late (Galaxy Brain) https://www.youtube.com/watch?v=SPQNPJ0CEPo
How to Think About AI Before It’s Too Late (Galaxy Brain) https://www.youtube.com/watch?v=SPQNPJ0CEPo
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order) https://www.youtube.com/live/wJvBvYdaAMY
The future of world governance, with Kim Stanley Robinson (UN Independent Expert on International Order) https://www.youtube.com/live/wJvBvYdaAMY
How to Think About Artificial Intelligence (KUER) https://radiowest.kuer.org/show/radiowest/2026 – 06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence
How to Think About Artificial Intelligence (KUER) https://radiowest.kuer.org/show/radiowest/2026 – 06-16/cory-doctorow-on-how-to-think-about-artificial-intelligence
Latest books (permalink)
“Canny Valley”: A limited edition collection of the collages I create for Pluralistic, self-published, September 2025 https://pluralistic.net/2025/09/04/illustrious/#chairman-bruce
18 June 2026
This is the story of how I found 10,000 repositories on GitHub that distribute Trojan malware. They are all from different contributors, have different names, and are not forks of other repositories. But they share a common pattern, which is what allowed me to write a script to find such repositories.
Introduction
I have a project on GitHub, and I wanted to check whether search engines had indexed it. I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results, with the exact same name and description. It was a copy of my repository with all the commits, and I was listed as a contributor. But an hour ago, another commit was pushed with a change to the readme. A link to a zip archive has been added to it.
I was choosing appropriate tags for another one of my projects on GitHub. I clicked through those tags to look at similar projects. In the list, I found a repository whose name and description matched exactly those of another repository on that list. It turned out that it also contained copies of all the commits from that repository, and two hours ago, a link to a zip archive has been added to the readme.
After monitoring these two repositories, I discovered that every few hours they delete the previous commit and push the exact same commit again. This commit contains only one change: adding a link to the archive in the readme file.
I submitted a request to GitHub support asking them to delete these repositories. Two weeks passed and nothing has changed; GitHub support hasn’t responded. I discussed with an AI what else could be done about this, but it didn’t offer any useful advice. I opened a thread on GitHub, and three people replied with the same AI slop that was of no use at all.
Another month later, GitHub support sent me an email saying that they had removed these repositories.
You can open other similar repositories, look at the latest commit, and see that a link to a zip archive was added to the readme a few hours ago:https://github.com/lucasheriq4374/welinkhttps://github.com/lucioloprey/OcyShield-Frameworkhttps://github.com/luigi1973/AssetRipper-CLI
The zip archive contains 4 files:
Application.cmd or Launcher.cmd
loader.exe or luajit.exe or another_name.exe
random_name.cso or random_name.txt
lua51.dll
If you submit a link to the archive to VirusTotal, it will find 0 viruses.If you submit the zip file itself, it will detect a Trojan inside it.
Continued
It seemed like I had already forgotten about this event, but my subconscious hadn’t. And my subconscious often throws interesting ideas at me when I’m sleeping or waking up. Recently, I woke up and in the very same second realized what I needed to do. I need to come up with a general pattern and then write a script that will analyze all GitHub repositories and find the ones that match that pattern.
Search pattern:
Every few hours the previous commit is deleted and a new one is pushed
Only the readme file is updated in the commit
The readme file contains a link to a zip archive
The commits are copied from another repository
This is a new repository, not a fork
All repositories have different contributors and different names
From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it. But there are 500 million repositories on GitHub. How can we analyze all of them? GitHub allows 5,000 requests per hour with a single token. For each repository, we need to make several requests to get the list of commits, modified files, and the content of the readme file. I didn’t want to wait a year for the script to analyze all the repositories.
But we don’t need all the repositories, we only need the ones that are updated every few hours. I found a service called gharchive, which lets you download all GitHub events for any given day. So we need to download the event archives for the last few days, filter them to include only commit push events, and identify the repositories that are updated between 2 and 10 times every 10 hours.
Over the past 5 days, there have been 16 million commit pushes. Of these, only 3,000 are repositories that are updated every few hours.
However, the events do not include information about which specific files were modified. This means that for each relevant repository, we need to make additional requests to the GitHub API.
After running the script, it returned a large number of repositories. I added several parameters to the filters:
The commit must be from a user, not a bot
More than a month has passed between the last commit and the one before that
The repositories have more than one contributor
After that, only 14 repositories were found that fully matched the pattern. And I couldn’t stop wondering: why were there so few repositories? What are the odds that I stumbled upon these repositories two months ago and there are only 14 of them on the entire GitHub? There should be many more. Imagine what the headline of this article would have been if I’d found a million such repositories or even just a thousand.
But I accepted the fact that there were only 14 of them and started writing this article. I decided to double-check them one more time so I wouldn’t accidentally include any unnecessary repositories in the article. Imagine my surprise when I saw that they had all been updated 20 hours ago. So the “updated every few hours” parameter was completely wrong. The filter had discarded all repositories that are updated infrequently.
During my manual check, I also noticed repositories that contained a link to a zip archive and had a recent commit, but that commit had zero changes. The filter, however, only considered repositories where a single readme file had been modified in the latest commit.
I also noticed that the last commit in all of these repositories had the same name: “Update README.md”.
I changed the filter. Now the script searched for repositories that were updated between 1 and 24 times every 24 hours. It found 40,000 such repositories.
There were 10,000 repositories that exactly matched the pattern. That’s 25% of the total.
Each of these repositories contains a zip archive with a Trojan.
These repositories have been around for many months, some even for over a year, and GitHub does not automatically detect and delete them.
I’ve published a complete list of these repositories on GitHub.A script for finding such repositories: Git Malware Finder
Open Questions
Why do they only clone new repositories, rather than popular ones?
Why do they delete a commit and push a new one every few hours?
Why doesn’t GitHub automatically detect such repositories?
What exactly does the executable exe file from the archive do?
What is the actual scale of this campaign?
My Hypotheses
The hackers’ goal is to understand how the system works, find its limitations and vulnerabilities, and exploit that information. If overwriting commits helps bypass GitHub’s security algorithms, then that’s what they did. Perhaps that’s also why every commit is named “Update README.md”.
The second goal is to spread the virus. How do they get people to find and download it? I think they do this by cloning only new repositories, which immediately appear at the top of search engine results for low-volume search terms. They also add these repositories to popular GitHub tags to increase the chances of indexing and to help people find them through those tags.
But why do they copy all the commits and contributors? After all, they could have just copied the entire source code. This is likely done to build trust. When someone visits a repository, they see the contributors, can click through to their profiles, and see that these aren’t one-day accounts. And the commit history is preserved so it’s clear that the repository didn’t just appear yesterday. But perhaps this is also done to bypass GitHub’s algorithms.
These are just my assumptions, but the reality may be completely different.
Conclusion
I was subject to GitHub’s API limit of 5,000 requests per hour. I optimized the script to search only for relevant repositories, and I think that because of the filter, the script found only a small percentage of repositories. The GitHub team does not have such limitations. They can analyze all 500 million repositories, find any archives or executable files within them, and scan them for viruses.
This time, I won’t be sending a request to GitHub. There are simply too many repositories. If any of you have direct contact with GitHub’s security team, please send them a link to this article.
* UpdateI found this article from April 18: How 109 Fake GitHub Repositories Delivered SmartLoader and StealCIt explains in detail how this Trojan malware works. At that time, the author had found 109 such repositories.
* Update 2GitHub has started deleting all the repositories that the script found. Most of these repositories have already been deleted.
* Update 3I found a post on Reddit that mentioned this scheme. It was posted in February 2025, almost 1.5 years ago: If you’re creating new repositories, they are being spoofed to host malware
* Update 4GitHub deleted only the repositories I listed in the complete list in a txt file. Then I ran the script again, it found new repositories, and I added them to this article. Two days have passed, and these repositories have not been deleted. GitHub has no way to search for these repositories. They didn’t run my script, and they didn’t write their own script. They didn’t even open this article to see if the list of repositories had changed. They only delete repositories that are reported to them, but they don’t do anything else. That’s why this scheme has been going on for several years now, and will most likely continue.
I also publish all new essays and notes on Telegram, Bluesky and X.
whoa there, pardner!
Your request has been blocked due to a network policy.
Try logging in or creating an account here to get back to browsing.
If you’re running a script or application, please register or sign in with your developer credentials here. Additionally make sure your User-Agent is not empty and is something unique and descriptive and try again. if you’re supplying an alternate User-Agent string, try changing back to default as that can sometimes result in a block.
You can read Reddit’s Terms of Service here.
If you think that we’ve incorrectly blocked you or you would like to discuss easier ways to get the data you want, please file a ticket here.
When contacting us, please include your Reddit account along with the following code:
019eea62 – 7613-7ff7-a698 – 85c31e074bc3
To add this web app to your iOS home screen tap the share button and select "Add to the Home Screen".
10HN is also available as an iOS App
If you visit 10HN only rarely, check out the the best articles from the past week.
Visit pancik.com for more.