[linwangg]

This raises a big question: How effective is GitHub’s abuse reporting system against large-scale malware campaigns? If 1,000+ malicious repos can persist for months, does this mean GitHub lacks automated scanning or relies too much on user reports?

[arp242]

The abuse reporting on GitHub completely sucks. You need to send a support ticket, which typically takes more than a month to get a reply to. And if by that time the comment or repo has been deleted they'll say "well it's deleted now, so we can't do anything". Because yes, I'm going to let spam sit around for over a month on my repo... :-/

[Evidlo]

Can't you just report it and hide it?

[EVa5I7bHFq9mnYK]

Automated scanning is easily bypassed - just fine-tune the submission until it passes the checks.

[david_allison]

Insufficient. Reporting is a fairly manual process, has UX issues which discourage reporting, and is heavily rate limited.

Response times can very from hours to what feels like months, and they rarely handle reports based on patterns of abuse.

[Jimmc414]

> If 1,000+ malicious repos can persist for months

3 years unfortunately

https://github.com/Jalynn0922/steal-cook

[andrewchilds]

I mean, do a search for "steal cookie": https://github.com/search?q=steal+cookie&type=repositories

This one has been up for two years: https://github.com/Aker490/Steal-Cookie-Roblox

It would be good to hear an official response from GitHub on where the boundaries are, since it seems like there's plenty of examples of clearly malicious repos hosted for years.