Please add a SECURITY warning for UNSAFE public repositories!

[mmtmn]

Select Topic Area

Product Feedback

Body

Hi everyone, first time ever posting here.

I've recently ran into a repository that is widely used and cloned with severe vulnerabilities.

I've ran into a couple over the years, some even had "influence campaigns" to get unsafe open source repos out there with more cloners! not cool!

I'd like to request a "flag" feature to public repositories that contain vulnerabilities.

I believe this will give developers a better understanding how secure a repository really is to make a decision on using it or not.

I'd love to hear the thoughts and opinions of the community.

[senanqulamov]

I think that some public repositories without any updates will show us vulnerabilities because of deprecated libraries. But if anyone's repository is useful for public then he/she should post updates regularly. That will make us safer 😃. Your idea is good too, red flags... I think better would be to have update or version history (not like commit history) as tags and releases.

[mmtmn]

Right.

The more information about how secure (or not) a public repository is the safer everyone is.

Specially for new developer/programmers.

[mmtmn]

Just to add to the conversation:

I've seen maintainers of big projects push back or ignore pull requests that would stop a zero day vulnerability.

I've also seen open source repositories that will route all of your traffic to another weird website. When investigating such weird website it had crazy security around it and some really weird stuff to it.

I don't think excluding public repositories would be a good solution, just very clear warnings that it might (or is!) malware disguised as a solution to a problem.

I'd also think the more popular a repository gets the more effort should go into making sure the repository isn't doing anything super weird!

Package managers already have this! For example, when installing a repository it'll run a quick check on how vulnerable your packages or modules are! GitHub already has everything in place (in my humble opinion) to implement something like this!

The exploitation "game plan" is quite simple:

find a problem -> create a open source repository that solves it -> write exploit -> obfuscate vulnerability -> run influence campaign around it -> continue improving solution if influence campaign gains traction (e.g. large number of stars, clones and trust in the community)

Here is why I think it would be in the best interest for GitHub and Microsoft to implement this from a business or product aspect:

• it adds to the defensibility business aspect of GitHub. Another reason for someone to not attempt to create the next GitHub, but with better security scrutiny on open source repositories.

[mmtmn]

https://thehackernews.com/2025/09/lastpass-warns-of-fake-repositories.html