OpenSourceShit Part 3: The Impersonators

Parts 1 and 2 covered a specific kind of harm: people who genuinely think they’re contributing, badly. The Duplication Lover thinks they’re defending craftsmanship. The Security Advisor thinks 2,400 PRs is diligence. Misguided, exhausting, but honest in some warped sense.
This part isn’t about them. It’s about people who don’t file a single PR, because they don’t want your codebase. They want your name.
The Same-Day Resquat¶
In March 2026, Huntress researchers tracked a fake installer campaign for OpenClaw, an AI personal assistant tool. The malicious repository was hosted directly on GitHub and tuned to rank high in Bing AI search results, so people looking for the real tool got infostealers instead. GitHub took the original impersonating repo, account, and organization down.
A new imitation repo mimicking the same installer went up the next day.
Not the next month. The next day. That’s the actual shape of the problem: the takedown process runs on human review timelines, proof-of-ownership forms, a Trust & Safety queue. The re-squat runs on a script.
Cloning at Scale¶
In April 2026, researchers at Hexastrike traced a campaign that started with a fake clone of a security research project and unraveled into 109 malicious repositories spread across 103 GitHub accounts. The pattern was consistent: fork a legitimate open source project, strip the README down to nothing, and replace it with a prominent download button pointing at a ZIP buried in the repo tree instead of an actual GitHub release. Inside: a Prometheus-obfuscated Lua payload run through LuaJIT, calling native Windows APIs directly, fingerprinting the host, grabbing screenshots. The command-and-control address resolves through a Polygon smart contract, so the operators can rotate infrastructure without ever touching the payload again.
That’s not one bored person with a laptop. That’s an assembly line, and the README is just the packaging.
By June 2026, the scale jumped again: a single operation cloned roughly 10,000 GitHub repositories, complete with realistic-looking commit history and contributor names, and hid malware behind a download link in each one. To stay ahead of automated detection, they re-pushed identical commits every few hours so the repos would look actively maintained. That’s a deliberate exploit of the exact signal developers are told to trust: “recently updated” as a proxy for “someone is watching this.”
When It’s Not Freelancers¶
None of this requires a nation-state budget, but sometimes it has one anyway. Between December 2025 and April 2026, Atos Threat Research Center tracked 44 separate GitHub facades, each spoofing a different administrative or developer tool, combining SEO poisoning with a two-stage GitHub-hosted delivery chain and a blockchain-based command-and-control system nicknamed “EtherHiding.” The payload, EtherRAT, has been linked by other researchers to Lazarus Group, North Korea’s state-sponsored hacking unit.
The same playbook the freelance StealC operators run, industrialized by a state actor, using the same platform, the same trust signals, the same README-as-bait structure. GitHub’s reputation is the exploit. It doesn’t matter who’s holding it.
The Search Results Are Also Fake¶
It gets worse once you leave GitHub itself. A campaign documented since at least September 2025 has been building fake websites that impersonate the actual project pages of tools like Ghidra, dnSpy, ILSpy, and grpcurl, tuned to outrank the real project’s own site on Google. Researchers found over 5,000 malware samples tied to the operation on VirusTotal, with confirmed infections across Turkey, Poland, Brazil, Germany, France, Russia, and the UK. Users aren’t failing to find the real project. They’re finding a better-ranked fake one first.
That’s the part that should sit uncomfortably with any maintainer reading this. You can lock down your own repo, require signed commits, review every PR by hand. None of that helps when the top Google result for your project’s name isn’t your project.
Two You’d Recognize¶
Abstract campaign counts are easy to skim past. Here are two you’ve probably used.
In March 2026, contributors to Node.js’s Corepack project noticed something off about corepack.org, the second organic result when you search “corepack.” Nobody on the actual Corepack team owns it. The download button was misspelled “Downlaod.” The linked ZIP didn’t resolve. When someone actually read the site’s FAQ, it turned out to be AI-generated and confused enough to answer a question about yarn bombing, the crochet street art, as if “yarn” meant the JavaScript package manager. Maintainer MikeMcC399 closed the GitHub issue by disclaiming any project ownership of the domain, then opened an internal OpenJS Foundation thread flagging it as possible preparation for a supply-chain attack. As of this writing, the site is still live.
ImageGlass has been fighting a version of this since at least 2020, when its developer, Phap D2, publicly warned users on Twitter/X that a pixel-perfect clone of the ImageGlass homepage was serving a malware ZIP from its download button instead of the real installer. That warning predates the current AI wave entirely. Cloning a homepage and swapping a link has been cheap since the reskin era, the same WordPress-theme-and-fake-play-button playbook that ran fake movie streaming sites for a decade. Running that playbook still took a little competence: enough HTML to rip a page cleanly, enough English to write a convincing FAQ, enough patience to pick a domain that wouldn’t get flagged on sight. AI removed that floor too. The clone, the copy, and the fake FAQ now come out of the same prompt, competence no longer required, which is exactly what tripped up corepack.org’s crocheting confusion.
Why the Small Ones Are Worth It¶
That last sentence points at the actual economics, and it’s worth naming directly: a lot of these targets aren’t hundred-million-download projects. They’re the smaller, dependable utilities, a Corepack, a Rufus, a self-hosted tool, the kind of project a solo maintainer keeps running on donations and goodwill worth maybe a few hundred dollars a year.
That used to be protection. Nobody bothered forging a phishing site for a tool nobody’s heard of. Google Ads changed the math. Bitdefender found 35 hijacked advertiser accounts running over 200 malicious ads impersonating 7-Zip, Notepad++, LibreOffice, and Final Cut Pro across 15 countries, redirecting searchers to pages that installed a credential-stealing implant instead. VideoLAN and OBS have both publicly complained about the same tactic targeting VLC and OBS Studio, small teams with no marketing budget to outbid a criminal ad account for their own project’s name. Rufus, a single-purpose USB flashing tool, has had its homepage cloned on lookalike domains down to the download button placement.
Running search ads costs cents to dollars per click. The tool being impersonated doesn’t need a huge userbase. It needs a userbase with something worth stealing: cloud credentials, a crypto wallet, an SSH key that opens a company’s CI pipeline. One infected developer with the wrong access covers the entire ad spend many times over. The organic reputation a small maintainer spent years building, worthless to fake back when nobody bothered, is now the cheapest attack surface in the stack, precisely because nobody budgeted to defend it.
The Reporting Gap¶
GitHub’s own process for this is a web form: pick “Malware or phishing” or “Impersonation,” attach a link, attach proof of ownership, wait for Trust & Safety to review it. That process is reasonable for a single bad actor. It was never built for an adversary running 109 accounts as one campaign, or repushing 10,000 repos on a timer, or backdooring 5,500 repositories through poisoned CI/CD pipelines in under six hours, which is exactly what the “Megalodon” campaign did in May 2026 using throwaway accounts with randomized usernames.
One side of this fight files a form and waits. The other side runs a script.
The Throughline¶
Sonatype’s 2025 numbers put a floor under how big this already is: north of 450,000 new malicious open source components identified in a single year, hundreds of malicious npm releases attributed to Lazarus Group alone, a 156% jump in malware since 2023. That’s the same registries from Part 1, the same GitHub from Part 2, now carrying a payload instead of a placeholder.
The Ex Stack and the Test Bombardier from Part 2 are annoying because they waste review time on things that were at least trying to be real. The impersonators in this part don’t waste your time, they spend it: every fake repo, every re-ranked search result, every cloned installer is built specifically to consume the trust your name took years to earn.
Add it up and the picture from Parts 1 through 3 is the same shape from three different angles. AI slop floods the review queue. The parasites in Part 2 add friction on top of that, mostly without meaning to. The impersonators in this part exploit the exact reputation that used to make open source safe to depend on, on purpose, at industrial scale.
Next: what maintainers are actually doing about all three at once, and why closing the door stopped looking like overreaction.
🔗Interstellar Communications
No transmissions detected yet.Be the first to establish contact!
Related Posts
OpenSourceShit Part 4: The Closing
MongoDB closed to fight AWS in 2018. Elastic closed to fight AWS in 2021, then reopened in 2024 once the fight was over. Ghostty, tldraw, NetBSD, and QEMU closed in January 2026, and there's no company to make peace with this time. Two different closings, two different endings.
OpenSourceShit Part 2: The Parasites
curl and Jazzband and Ghostty didn't close the door because of an abstract "AI problem." They closed it because of specific people. Eight archetypes, all real, all currently in your notifications.
OpenSourceShit Part 1: The Math Broke
curl killed its six-year bug bounty. Jazzband shut down. Ghostty, tldraw, NetBSD, and QEMU all closed the door on AI contributions in the same three weeks. This isn't paranoia. It's what happens when the cost of producing a plausible pull request hits zero and review capacity doesn't move.