This one has been up for two years: https://github.com/Aker490/Steal-Cookie-Roblox
It would be good to hear an official response from GitHub on where the boundaries are, since it seems like there's plenty of examples of clearly malicious repos hosted for years.