Why is malware on GitHub not automatically detected and removed?

[hapepo23]

Select Topic Area

Question

Body

Today I found again malware in a "honeypot" repository -
see this directory: https://github.com/prider7/codewars-challenges/tree/master/subsistential
My GitHub Support messages are ignored, and I ask myself:
Why is malware on GitHub not automatically detected and removed?
I don't get it.

[esat54]

This is a valid concern, but the 'automatic removal' of code is a very thin line for a platform like GitHub. As a developer, I can point out a few technical reasons why this process isn't as instant as we'd like:

False Positives: Many security tools or penetration testing scripts look like malware to automated scanners. If GitHub started auto-deleting everything that flagged a 'Trojan' alert, thousands of legitimate research tools and educational projects would be wiped out.

Polymorphic Code: Malware authors constantly change the code's signature to bypass static analysis. As seen in your VirusTotal screenshot, even with 19/67 flags, there are still 48 vendors that didn't catch it. Automated systems struggle with this 'cat and mouse' game.

The 'Honeypot' Context: GitHub often serves as a library for security researchers to study malware samples.

However, ignoring support messages is frustrating. The best way to handle this is usually through the 'Report content' button directly on the repository, which triggers a manual review by the Trust & Safety team rather than just an automated bot.

Great catch on that specific repo, though. Staying vigilant is our best defense!

[turanalmammadov]

This is a common and understandable frustration. Here is how GitHub handles malware and some steps you can take:

Why automatic detection is difficult

GitHub hosts hundreds of millions of repositories. Automatically scanning all code for malware is computationally extremely challenging because:

• Code can be obfuscated, encoded, or stored in non-obvious forms
• What looks like malware in one context (security research, honeypots, educational repos) is legitimate in another
• Novel malware variants are constantly emerging

What GitHub does

GitHub does scan for some categories of malicious content, including:

• Secret scanning — detects exposed API keys, tokens, and credentials
• Dependency vulnerability scanning — alerts on known-vulnerable packages
• CSAM detection — automatic detection and removal
• Community reports — the primary mechanism for most malware/abuse cases

What you should do

1. Report the repository directly: Use the Report abuse link on the repository page (flag icon → Report content)
2. Contact GitHub Support: https://support.github.com/contact — include the specific URL and describe why it is malware
3. Report through GitHub Community: https://github.com/github/feedback/discussions
4. If it violates ToS: GitHub reviews reports of Acceptable Use Policy violations

Useful links

• Reporting abuse or spam
• GitHub Security policies
• GitHub contact support

For security researchers: if you found malware hosted on GitHub, the Security Lab team at https://securitylab.github.com/ may also be interested.

[pratikrath126]

GitHub does scan uploaded content for known malware using virus definitions, but it’s not foolproof—new or obfuscated malware can slip through. For issues that aren’t caught automatically, you can report them via GitHub Support or the abuse contact. Once verified, content that violates the Acceptable Use Policy is removed. You can also enable Advanced Security features like secret scanning and code scanning to catch certain threats early.

[ALPHYPSYCHE]

Detecting malware at GitHub's scale (over 420 million repositories) is an immense technical challenge.

Legitimate Use Cases: Many security researchers host "malware" for educational or defensive purposes. Outright automated banning would hinder legitimate cybersecurity research.
Evasion Techniques: Attackers use obfuscation and "fork bombs" (creating thousands of clones) to hide malicious code within seemingly benign updates.
Responsibility Model: GitHub provides tools like Secret Scanning and Dependabot, but ultimately, Git is designed for collaboration, and the responsibility for reviewing third-party code before execution often falls on the end user.