How do repo confusion attacks happen?
Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one. But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.
In this case, in order to maximize the chances of infection, the malicious actor is flooding GitHub with malicious repos, following these steps:
Cloning existing repos (for example: TwitterFollowBot, WhatsappBOT, discord-boost-tool, Twitch-Follow-Bot, and hundreds more).
Infecting them with malware loaders.
Uploading them back to GitHub with identical names.
Automatically forking each thousands of times.
Covertly promoting them across the web via forums, Discord, etc.
Source:
https://apiiro.com/blog/malicious-code- ... on-attack/