tl;dr: A developer discovered that someone had cloned his GitHub repo, preserving all commits and contributors, but added a link to a zip archive containing a Trojan in the README. By analyzing GitHub event archives for repos updated frequently with only README changes containing zip links, he identified ~10,000 such malware-distributing repositories—about 25% of repos matching his pattern. GitHub only removed the repos he explicitly reported and has made no effort to detect the pattern themselves, despite the scheme running for over a year.