10,000 Malicious GitHub Repo Clones Have Been Targeting AI Agents for Over a Year

TL;DR: A researcher mapped 10,000 GitHub repo clones that silently delivered malware via README ZIP links for over a year — with AI agents as the prime target, since they're far more likely than a human to follow a download instruction in a README.

Researcher "Orchid" spent weeks analyzing 16 million GitHub Archive commit events and found a quiet, automated campaign: threat actors clone real repositories with commit history and attribution intact, swap one README link for a pointer to a malicious ZIP archive, and push fresh commits every few hours to appear active. Cloned repos sometimes outrank originals in search results.

The specific focus on AI agents is the new threat model. A developer browsing GitHub is unlikely to download and run a ZIP from a README. An agent instructed to "find and set up the library at this GitHub repo" may do exactly that.

Defenses for agentic workflows: Pin exact commit SHAs (not branch names) in any repo your agent clones. Verify the owner/repo path matches your intended source before any git clone. Add a tool-use guardrail that refuses to execute downloaded binaries unless they match a known hash or are from a verified registry. GitHub removed the explicitly named repos but hasn't built independent detection for the pattern.

Why it matters: Every git clone your agent runs is now a supply-chain trust decision — treat it like an npm install from an unknown package.

Sources: Cybernews: AI agents targeted, Orchid original research, TechTimes: clone campaign, ByteIota: audit your dependencies