[muppetman]

How would code like this make it into so many repos? People accepting pull requests and not properly reviewing them? Or is there something even worse about this attack?

[stevelacy]

Many of the repos I found were clones of valid projects with same names under new orgs and new users. For instance, this projects is valid: https://github.com/scala-network/GUI-miner and it's infected clone: https://github.com/stellitecoin/gui-miner

GPG signed commits by the legitimate users do not contain the malware

[laserlight]

Considering that only clones are affected, your original tweet is downright wrong. None of the listed projects (python, js, bash, docker, k8s) are affected. Anybody can fork a repository to introduce malware.

[eurasiantiger]

js is a project?

[laserlight]

You're right. It's not. I just copy-pasted the list from the tweet. I assume that the author meant to write jq.

[pcmonk]

Most of them don't seem to come from pull requests, I wonder if it's paired with a bunch of compromised github accounts?

[bonzini]

Not compromised, just created by the attacker.