The odd new spam on GitHub
I've been noticing a new pattern of spam on GitHub that is so annoying, partially clever and a pain to defend against that I had to blog about it.
I hinted at this pattern in one of my older blogs - Dead Internet Theory, but this time I have to dive deeper into how this works.
It all started when a comment showed up on an issue report that was clearly generated by an LLM and did not help the conversation a single bit. Since fastlane has a large amount of activity - I only subscribe to items I interact with, so I'm not alerted to random responses on issues I have not visited.
By the time I visited this thread, it was the same message but with a tiny little link to some unrelated service tucked in there.
This could be link farming, establishing links or some clever SEO hack, but I do know regardless of what it is - it doesn't belong. The user as you would expect is an empty GitHub account, with no repository, no stars, no projects, no contributions and just spamming repositories.
Sure enough I stumble upon another issue and this time the user/script just injected the spam links directly into words of the LLM text. This time the advertisements are for Labcorp which I recognize as a massive company. So now I'm even more curious - does that company engage with a scummy advertisement agency that results in some real scummy behavior in order to grow search standing? Or is the connection unrelated, either I move on to the next.
This time its a short comment that makes no sense - a comment saying "thank you for sharing" for a bug report. A short time later the post is edited to include the spam link. This must be a common technique because I don't get edits emailed to me only original comments. A comment that looks vaguely real (powered via an LLM) than edited later for spam is how they operate.
If I was GitHub this would seem pretty easy in my playbook. Brand new accounts that end up posting more and more outbound links to various domains would get flagged and reviewed.
I even find posts from years ago that were edited to include spam. Are these legitimate accounts that got hacked and turned into spam? Some of the edit timelines are minutes later while others are months later.
I tried to report these accounts for spam, but it was already more clicks that I had to do on top of marking comments as spam or deleting them. I found if I deleted comments and reported the account chances are GitHub might not make any action - maybe unaware to see the spam I deleted. If I leave the comments marked as spam and report them - the account might be deleted entirely and take the comments with it.
At one point I had too many open abuse reports to even open another, so I stopped. It just was a daunting amount of work to report an account on top of cleaning up the spam. I figured automation would eventually purge these accounts, but I'm posting about some spam I dealt with in 2024 and the accounts are still not deleted. So long story short - if you don't report them - chances are no automation GitHub has in place will take care of the LLM based spammer.