Found a Second Layer to a GitHub Follow Botnet?

This is Parts 2 of an ongoing investigation. Part 1 documented the initial discovery — 8 accounts with Jaccard following-list similarity of 0.99+ across ~29,800 entries each, evading cross-follow detection entirely.

After Part 1 published, I kept pulling the data.

Subsequent analysis expanded the cluster to 9 accounts, recovered infrastructure linkage to a specific GitHub identity, and mapped the generation pipeline responsible for all 552 repositories across the cluster. The pipeline left recoverable artifacts in every repository it produced.

Following that same pipeline fingerprint led to an earlier operation — running nine months before the follow botnet was provisioned. The same GitHub identity appears in both. So does the same generator artifact. Four accounts documented in Part 1 appear in both operations.

This post documents what the data shows. Inference is labeled as inference throughout. I am not establishing intent or ownership beyond what the API evidence directly supports.

Found a Second Layer to a GitHub Follow Botnet?

Other newsrooms on this story

Related reading

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Other newsrooms on this story

Related reading

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub

Shai-Hulud copycat worm infects yet another npm package

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

GitHub Worm Hits npm Packages With 16M Downloads

Hugging Face hosted malicious software masquerading as OpenAI release