GitHub Spam is out of control
Normally, these crypto scams on GitHub post and tag multiple people in it, and then almost immediately get deleted by the poster of the scam. It appears that this is a way to bypass spam filters, or at the very least make it harder to report them. According to this post on GitHub’s community org, the end user gets an email with the full post and spam, but there is no easy way to report it since it is already deleted.
As we can see in the screenshot above, there is a copy and paste message from a seemly auto-generated user and a bunch of real users tagged below as “Winners”. The full pull request can be found here: https://github.com/boazcstrike/github-readme-stats/pull/1
Let’s do a little experiment and search for the title of the comment on GitHub and see what we get:
https://github.com/search?q=AltLayer+Airdrop+Season+One+Announcement&type=pullrequests
That is 274 comments on pull requests and 545 comments on issues. Over 800 spam comments (819 to be exact). To be fair, I saw a couple of false positives in this search, but VERY few since this is a very specific and long term we searched up. Assuming that 95% of them are correct matches, then that is ~780 posts.
The REAL kicker in all of those pull requests and issues I could find, I could only find one’s that was 24 hours or newer. The oldest I could find is only 18 hours ago from the time of writing this article!
Each post has up to 20 users tagged in it. I do not know if this is a GitHub imposed limit or if they might get flagged easier if they tag more than 20 accounts. ~780 posts * 20 = 15,600 accounts tagged.
As I was finishing this article, I found another set of these with the title of “Binance Airdrop Guide: $500k Worth of Airdrop is Ready, here’s how to Claim”.
Another ~800 mentions of it. The interesting thing with this one is that some of these are over 1 month old! There are even 3 spam posts on 1 pull request, tagging 10 users each! https://github.com/varathsurya/nurse_management_api/pull/1
So that is another ~15k accounts tagged… We are 30k accounts tagged so far, lets look at who is doing the tagging for the most part.
Here are a few accounts I found:
https://github.com/devsquadcore
https://github.com/mohamedata-code
https://github.com/altagencyuk
They seem to have a lot of similarities.
1) No profile picture
2) A couple of years old, but usually no commits and no repos
3) If they do have a repo(s), it’s a 1 commit thing usually of some open-source software (1 account had 4 repos of Laravel, and one had 1 repo of wordpress).
Quick side note: How the actual fuck does GitHub NOT have a report button on a piece of user generated content. Do you know the process of reporting this? Copy Link -> Go to user’s profile page -> Click Block & Report -> Click Report Abuse button -> *New page* Click “I want to report harmful… cryptocurrency abuse” -> Click “I want to report suspicious cryptocurrency or mining content.” button -> FINALLY paste the link you copied 10 years ago into the form box and give your justification on why this user did a bad thing and hope that the link still works/content is still up by the time they get around to looking at it…
Spam is nothing new, spam on GitHub is also not particularly new. Any site that accepts user-generated content will need to figure out how to prevent people from submitting spam, whether that is for scams, malicious software, or X-rated material. I have been getting tagged in Crypto related for the past 6 months or so. In the past 24 hours I have been tagged in two of them.Normally, these crypto scams on GitHub post and tag multiple people in it, and then almost immediately get deleted by the poster of the scam. It appears that this is a way to bypass spam filters, or at the very least make it harder to report them. According to this post on GitHub’s community org, the end user gets an email with the full post and spam, but there is no easy way to report it since it is already deleted.
The Issue
Today, though, was my “lucky” day. I got tagged in two scams, but one of them is still up! So let’s take a look into it.
As we can see in the screenshot above, there is a copy and paste message from a seemly auto-generated user and a bunch of real users tagged below as “Winners”. The full pull request can be found here: https://github.com/boazcstrike/github-readme-stats/pull/1
Let’s do a little experiment and search for the title of the comment on GitHub and see what we get:
https://github.com/search?q=AltLayer+Airdrop+Season+One+Announcement&type=pullrequests
That is 274 comments on pull requests and 545 comments on issues. Over 800 spam comments (819 to be exact). To be fair, I saw a couple of false positives in this search, but VERY few since this is a very specific and long term we searched up. Assuming that 95% of them are correct matches, then that is ~780 posts.
The REAL kicker in all of those pull requests and issues I could find, I could only find one’s that was 24 hours or newer. The oldest I could find is only 18 hours ago from the time of writing this article!
Each post has up to 20 users tagged in it. I do not know if this is a GitHub imposed limit or if they might get flagged easier if they tag more than 20 accounts. ~780 posts * 20 = 15,600 accounts tagged.
As I was finishing this article, I found another set of these with the title of “Binance Airdrop Guide: $500k Worth of Airdrop is Ready, here’s how to Claim”.
Another ~800 mentions of it. The interesting thing with this one is that some of these are over 1 month old! There are even 3 spam posts on 1 pull request, tagging 10 users each! https://github.com/varathsurya/nurse_management_api/pull/1
So that is another ~15k accounts tagged… We are 30k accounts tagged so far, lets look at who is doing the tagging for the most part.
Here are a few accounts I found:
https://github.com/devsquadcore
https://github.com/mohamedata-code
https://github.com/altagencyuk
They seem to have a lot of similarities.
1) No profile picture
2) A couple of years old, but usually no commits and no repos
3) If they do have a repo(s), it’s a 1 commit thing usually of some open-source software (1 account had 4 repos of Laravel, and one had 1 repo of wordpress).
WTF
Quick side note: How the actual fuck does GitHub NOT have a report button on a piece of user generated content. Do you know the process of reporting this? Copy Link -> Go to user’s profile page -> Click Block & Report -> Click Report Abuse button -> *New page* Click “I want to report harmful… cryptocurrency abuse” -> Click “I want to report suspicious cryptocurrency or mining content.” button -> FINALLY paste the link you copied 10 years ago into the form box and give your justification on why this user did a bad thing and hope that the link still works/content is still up by the time they get around to looking at it…
![[DK]](/data/avatars/s/57/57999.jpg?1720990206){kind=avatar}
