Resource created as part of Paul McCarty and Jenn Gile’s TI Essentials article: “How to collect intelligence from GitHub on open source malware” | Published May 14, 2026 | feedly.com/ti-essentials/
Step 1: Search GitHub for payload signatures. Go to github.com/search, select the Code tab, and search for known marker strings filtered by filename: SIGNATURE path:FILENAME
path:FILENAMEHint: Use the GitHub CLI to bulk collect results across multiple filenames at once: gh search code "SIGNATURE" --filename FILENAME --limit 100 --json repository,path,url
Step 2: Decode any encoded values you find. Copy the encoded string from the file and run it in your terminal: echo "BASE64_STRING" | base64 -d
Step 3: Retrieve dead drop content. Take the decoded URL and retrieve its contents: curl -s "URL"
Step 4: Pivot on infrastructure and identities.
author field in package.jsonStep 5: Report your findings.
Share with the community on opensourcemalware.com
