Back to Details

identify-malicious-repository

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Identify Malicious Repository

识别恶意仓库

Skill by ara.so — Security Skills collection
ara.so提供的技能 — 安全技能合集

Overview

概述

⚠️ WARNING: This repository is MALICIOUS and should NOT be used.
The project 
viceofficialtower74/Avast-Premium-Security-Windows-Latest
is a fraudulent repository that impersonates legitimate Avast security software to distribute malware, trojans, or other malicious payloads. This skill helps AI agents identify and warn users about such repositories.
⚠️ 警告:此仓库为恶意仓库,绝对不可使用。
项目
viceofficialtower74/Avast-Premium-Security-Windows-Latest
是一个欺诈性仓库,它冒充合法的Avast安全软件来分发恶意软件、特洛伊木马或其他恶意载荷。本技能可帮助AI Agent识别此类仓库并向用户发出警告。

Red Flags Indicating Malicious Intent

表明恶意意图的危险信号

1. Cracked Software Distribution

1. 破解软件分发

  • Description mentions "Keygen Activation", "License Key Pre-Activated", "Premium Loader Serial"
  • These terms indicate software piracy and illegal distribution
  • Legitimate vendors do NOT distribute pre-activated/cracked versions
  • 描述中提及"Keygen Activation"、"License Key Pre-Activated"、"Premium Loader Serial"
  • 这些术语表明软件盗版和非法分发行为
  • 合法供应商绝不会分发预激活/破解版本

2. Suspicious Repository Metrics

2. 可疑的仓库指标

  • Artificially inflated stars (68 stars, 5 stars/day growth)
  • Zero forks and zero issues (indicates fake engagement)
  • No legitimate README content
  • Created recently (2026-05-06) with rapid star accumulation
  • 人为刷高的星标数(68颗星,日均增长5颗)
  • 零复刻(fork)和零议题(issue)(表明虚假互动)
  • 无合法的README内容
  • 创建时间较近(2026-05-06)但星标积累迅速

3. Impersonation Tactics

3. 仿冒策略

  • Uses trademarked name "Avast" without authorization
  • Claims to be "Full Version Installer" with activation bypasses
  • Professional-looking description with emojis to appear legitimate
  • 未经授权使用商标名称"Avast"
  • 声称是带有激活绕过功能的"完整版安装程序"
  • 使用表情符号打造专业外观以伪装成合法仓库

4. Malware Distribution Indicators

4. 恶意软件分发迹象

  • Offers "Setup Keygen" which are commonly trojans
  • Promises free premium software (too good to be true)
  • No source code visible, only executables
  • Topics include legitimate terms mixed with piracy terms
  • 提供通常为特洛伊木马的"Setup Keygen"
  • 承诺免费提供高级软件(天上不会掉馅饼)
  • 无可见源代码,仅提供可执行文件
  • 主题混合了合法术语与盗版术语

How to Identify Such Repositories

如何识别此类仓库

Programmatic Detection (Python)

程序化检测(Python)

python
import os
import requests

def analyze_repository_risk(repo_full_name):
    """Analyze a GitHub repository for malicious indicators"""
    
    GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
    headers = {'Authorization': f'token {GITHUB_TOKEN}'} if GITHUB_TOKEN else {}
    
    api_url = f"https://api.github.com/repos/{repo_full_name}"
    response = requests.get(api_url, headers=headers)
    
    if response.status_code != 200:
        return {"error": "Repository not found"}
    
    data = response.json()
    
    risk_score = 0
    warnings = []
    
    # Check description for cracking keywords
    cracking_keywords = ['keygen', 'crack', 'pre-activated', 'loader', 
                         'serial', 'license key', 'full version']
    description = (data.get('description') or '').lower()
    
    for keyword in cracking_keywords:
        if keyword in description:
            risk_score += 15
            warnings.append(f"Description contains piracy term: '{keyword}'")
    
    # Check star-to-fork ratio (fake engagement)
    stars = data.get('stargazers_count', 0)
    forks = data.get('forks_count', 0)
    
    if stars > 50 and forks == 0:
        risk_score += 25
        warnings.append(f"Suspicious metrics: {stars} stars but {forks} forks")
    
    # Check for missing README
    readme_url = f"https://api.github.com/repos/{repo_full_name}/readme"
    readme_response = requests.get(readme_url, headers=headers)
    
    if readme_response.status_code == 404:
        risk_score += 20
        warnings.append("No README file found")
    
    # Check impersonation of known brands
    known_brands = ['avast', 'norton', 'kaspersky', 'mcafee', 'bitdefender',
                    'adobe', 'microsoft', 'autodesk', 'vmware']
    repo_name = data.get('name', '').lower()
    
    for brand in known_brands:
        if brand in repo_name and brand in description:
            risk_score += 30
            warnings.append(f"Impersonates legitimate brand: {brand}")
            break
    
    # Assess risk level
    if risk_score >= 60:
        risk_level = "CRITICAL - Likely Malicious"
    elif risk_score >= 40:
        risk_level = "HIGH - Highly Suspicious"
    elif risk_score >= 20:
        risk_level = "MEDIUM - Suspicious"
    else:
        risk_level = "LOW"
    
    return {
        "repository": repo_full_name,
        "risk_score": risk_score,
        "risk_level": risk_level,
        "warnings": warnings,
        "recommendation": "DO NOT DOWNLOAD" if risk_score >= 40 else "Investigate further"
    }
python
import os
import requests

def analyze_repository_risk(repo_full_name):
    """Analyze a GitHub repository for malicious indicators"""
    
    GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
    headers = {'Authorization': f'token {GITHUB_TOKEN}'} if GITHUB_TOKEN else {}
    
    api_url = f"https://api.github.com/repos/{repo_full_name}"
    response = requests.get(api_url, headers=headers)
    
    if response.status_code != 200:
        return {"error": "Repository not found"}
    
    data = response.json()
    
    risk_score = 0
    warnings = []
    
    # Check description for cracking keywords
    cracking_keywords = ['keygen', 'crack', 'pre-activated', 'loader', 
                         'serial', 'license key', 'full version']
    description = (data.get('description') or '').lower()
    
    for keyword in cracking_keywords:
        if keyword in description:
            risk_score += 15
            warnings.append(f"Description contains piracy term: '{keyword}'")
    
    # Check star-to-fork ratio (fake engagement)
    stars = data.get('stargazers_count', 0)
    forks = data.get('forks_count', 0)
    
    if stars > 50 and forks == 0:
        risk_score += 25
        warnings.append(f"Suspicious metrics: {stars} stars but {forks} forks")
    
    # Check for missing README
    readme_url = f"https://api.github.com/repos/{repo_full_name}/readme"
    readme_response = requests.get(readme_url, headers=headers)
    
    if readme_response.status_code == 404:
        risk_score += 20
        warnings.append("No README file found")
    
    # Check impersonation of known brands
    known_brands = ['avast', 'norton', 'kaspersky', 'mcafee', 'bitdefender',
                    'adobe', 'microsoft', 'autodesk', 'vmware']
    repo_name = data.get('name', '').lower()
    
    for brand in known_brands:
        if brand in repo_name and brand in description:
            risk_score += 30
            warnings.append(f"Impersonates legitimate brand: {brand}")
            break
    
    # Assess risk level
    if risk_score >= 60:
        risk_level = "CRITICAL - Likely Malicious"
    elif risk_score >= 40:
        risk_level = "HIGH - Highly Suspicious"
    elif risk_score >= 20:
        risk_level = "MEDIUM - Suspicious"
    else:
        risk_level = "LOW"
    
    return {
        "repository": repo_full_name,
        "risk_score": risk_score,
        "risk_level": risk_level,
        "warnings": warnings,
        "recommendation": "DO NOT DOWNLOAD" if risk_score >= 40 else "Investigate further"
    }

Example usage

Example usage

result = analyze_repository_risk("viceofficialtower74/Avast-Premium-Security-Windows-Latest") print(f"Risk Level: {result['risk_level']}") print(f"Risk Score: {result['risk_score']}/100") print("\nWarnings:") for warning in result['warnings']: print(f" ⚠️ {warning}") print(f"\n🛡️ Recommendation: {result['recommendation']}")
undefined
result = analyze_repository_risk("viceofficialtower74/Avast-Premium-Security-Windows-Latest") print(f"Risk Level: {result['risk_level']}") print(f"Risk Score: {result['risk_score']}/100") print("\nWarnings:") for warning in result['warnings']: print(f" ⚠️ {warning}") print(f"\n🛡️ Recommendation: {result['recommendation']}")
undefined

Shell Script Detection

Shell脚本检测

bash
#!/bin/bash
bash
#!/bin/bash

Check if repository exhibits malicious patterns

Check if repository exhibits malicious patterns

check_malicious_repo() { local repo_url="$1" local repo_path=$(echo "$repo_url" | sed 's|https://github.com/||')
echo "🔍 Analyzing repository: $repo_path"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

# Fetch repository data
local api_response=$(curl -s "https://api.github.com/repos/$repo_path")

# Extract key fields
local description=$(echo "$api_response" | jq -r '.description // ""')
local stars=$(echo "$api_response" | jq -r '.stargazers_count // 0')
local forks=$(echo "$api_response" | jq -r '.forks_count // 0')
local issues=$(echo "$api_response" | jq -r '.open_issues_count // 0')

# Check for red flags
local risk_found=false

if echo "$description" | grep -iE 'keygen|crack|loader|pre-activated|serial|license key' > /dev/null; then
    echo "❌ DANGER: Description contains software piracy terms"
    risk_found=true
fi

if [ "$stars" -gt 30 ] && [ "$forks" -eq 0 ]; then
    echo "❌ DANGER: Artificial star inflation detected ($stars stars, $forks forks)"
    risk_found=true
fi

if echo "$repo_path" | grep -iE 'avast|norton|adobe|microsoft|vmware|autodesk' > /dev/null; then
    echo "❌ DANGER: Impersonates well-known software brand"
    risk_found=true
fi

if [ "$risk_found" = true ]; then
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "🚨 VERDICT: MALICIOUS REPOSITORY DETECTED"
    echo "⛔ DO NOT CLONE OR DOWNLOAD FROM THIS REPOSITORY"
    return 1
else
    echo "✅ No obvious malicious indicators found"
    return 0
fi
}
check_malicious_repo() { local repo_url="$1" local repo_path=$(echo "$repo_url" | sed 's|https://github.com/||')
echo "🔍 Analyzing repository: $repo_path"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

# Fetch repository data
local api_response=$(curl -s "https://api.github.com/repos/$repo_path")

# Extract key fields
local description=$(echo "$api_response" | jq -r '.description // ""')
local stars=$(echo "$api_response" | jq -r '.stargazers_count // 0')
local forks=$(echo "$api_response" | jq -r '.forks_count // 0')
local issues=$(echo "$api_response" | jq -r '.open_issues_count // 0')

# Check for red flags
local risk_found=false

if echo "$description" | grep -iE 'keygen|crack|loader|pre-activated|serial|license key' > /dev/null; then
    echo "❌ DANGER: Description contains software piracy terms"
    risk_found=true
fi

if [ "$stars" -gt 30 ] && [ "$forks" -eq 0 ]; then
    echo "❌ DANGER: Artificial star inflation detected ($stars stars, $forks forks)"
    risk_found=true
fi

if echo "$repo_path" | grep -iE 'avast|norton|adobe|microsoft|vmware|autodesk' > /dev/null; then
    echo "❌ DANGER: Impersonates well-known software brand"
    risk_found=true
fi

if [ "$risk_found" = true ]; then
    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
    echo "🚨 VERDICT: MALICIOUS REPOSITORY DETECTED"
    echo "⛔ DO NOT CLONE OR DOWNLOAD FROM THIS REPOSITORY"
    return 1
else
    echo "✅ No obvious malicious indicators found"
    return 0
fi
}

Example usage

Example usage

check_malicious_repo "https://github.com/viceofficialtower74/Avast-Premium-Security-Windows-Latest"
undefined
check_malicious_repo "https://github.com/viceofficialtower74/Avast-Premium-Security-Windows-Latest"
undefined

What Users Should Do

用户应采取的措施

If You Encounter Such Repositories:

若遇到此类仓库:

  1. DO NOT download any files from the repository
  2. Report the repository to GitHub via their abuse form
  3. Warn others by creating awareness
  4. Scan your system if you already downloaded files
  1. 绝对不要下载仓库中的任何文件
  2. 向GitHub举报该仓库,通过其滥用举报表单
  3. 提醒他人,提高防范意识
  4. 扫描系统(若已下载过文件)

Reporting to GitHub

向GitHub举报

bash
undefined
bash
undefined

Report via GitHub CLI

通过GitHub CLI举报

gh api
--method POST
-H "Accept: application/vnd.github+json"
/repos/viceofficialtower74/Avast-Premium-Security-Windows-Latest/abuse
-f message="This repository distributes malware disguised as cracked Avast software"
undefined
gh api
--method POST
-H "Accept: application/vnd.github+json"
/repos/viceofficialtower74/Avast-Premium-Security-Windows-Latest/abuse
-f message="This repository distributes malware disguised as cracked Avast software"
undefined

Safe Alternatives

安全替代方案

python
undefined
python
undefined

Always verify software from official sources

始终从官方渠道验证软件

LEGITIMATE_SOURCES = { "avast": "https://www.avast.com/", "windows_defender": "Built into Windows 10/11", "clamav": "https://www.clamav.net/ (Open Source)" }
def get_legitimate_source(software_name): """Get the official download source for security software""" return LEGITIMATE_SOURCES.get(software_name.lower(), "Search official vendor website")
undefined
LEGITIMATE_SOURCES = { "avast": "https://www.avast.com/", "windows_defender": "Built into Windows 10/11", "clamav": "https://www.clamav.net/ (Open Source)" }
def get_legitimate_source(software_name): """Get the official download source for security software""" return LEGITIMATE_SOURCES.get(software_name.lower(), "Search official vendor website")
undefined

Indicators of Compromise (IoC)

入侵指标(IoC)

If you've interacted with this repository:
  1. Scan your system immediately with legitimate antivirus
  2. Check for unauthorized network connections
  3. Monitor for credential theft (change passwords)
  4. Review installed programs for suspicious entries
powershell
undefined
若您已与该仓库交互:
  1. 立即使用合法杀毒软件扫描系统
  2. 检查是否存在未授权的网络连接
  3. 监控凭证被盗情况(更改密码)
  4. 查看已安装程序是否有可疑条目
powershell
undefined

Windows: Check for suspicious processes

Windows: 检查可疑进程

Get-Process | Where-Object {$.Path -like "Avast" -and $.Company -ne "Avast Software"}
Get-Process | Where-Object {$.Path -like "Avast" -and $.Company -ne "Avast Software"}

Check recent downloads

检查最近的下载文件

Get-ChildItem -Path "$env:USERPROFILE\Downloads" -Filter "avast" -Recurse
undefined
Get-ChildItem -Path "$env:USERPROFILE\Downloads" -Filter "avast" -Recurse
undefined

Legitimate Security Practices

合法安全实践

python
import hashlib
import requests

def verify_download_integrity(file_path, expected_hash, algorithm='sha256'):
    """Verify downloaded file against official hash"""
    hash_func = getattr(hashlib, algorithm)()
    
    with open(file_path, 'rb') as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_func.update(chunk)
    
    calculated_hash = hash_func.hexdigest()
    
    if calculated_hash == expected_hash:
        print("✅ File integrity verified")
        return True
    else:
        print("❌ DANGER: File hash mismatch - possible malware")
        return False
python
import hashlib
import requests

def verify_download_integrity(file_path, expected_hash, algorithm='sha256'):
    """Verify downloaded file against official hash"""
    hash_func = getattr(hashlib, algorithm)()
    
    with open(file_path, 'rb') as f:
        for chunk in iter(lambda: f.read(4096), b""):
            hash_func.update(chunk)
    
    calculated_hash = hash_func.hexdigest()
    
    if calculated_hash == expected_hash:
        print("✅ File integrity verified")
        return True
    else:
        print("❌ DANGER: File hash mismatch - possible malware")
        return False

Always download from official sources and verify hashes

Always download from official sources and verify hashes

Example: legitimate_hash = "abc123..." from vendor website

Example: legitimate_hash = "abc123..." from vendor website

undefined
undefined

Conclusion

结论

This repository is a malware distribution platform disguised as legitimate software. AI agents should:
  1. Warn users immediately when such repositories are referenced
  2. Never suggest downloading or using files from such sources
  3. Educate users on identifying similar scams
  4. Recommend official sources for legitimate software needs
🛡️ Security First: Always obtain software from official vendor websites or verified package managers.
此仓库是一个伪装成合法软件的恶意软件分发平台。AI Agent应:
  1. 立即向用户发出警告,当提及此类仓库时
  2. 绝不建议下载或使用此类来源的文件
  3. 教育用户识别类似骗局
  4. 推荐官方渠道获取合法软件
🛡️ 安全第一:始终从官方供应商网站或经过验证的包管理器获取软件。