Github censored malware research data


Update Oct 15: Gitlab also removed my data, but later admitted that it had misinterpreted it, and it was quickly reinstated. See discussion on Hacker News and Gitlab statement.

After publishing a list of compromised online stores, I was contacted by several persons who claimed their site had not been compromised (while in fact they were, as archive.org provides solid proof) and threatened to sue me.

Then last night, Github removed my research results, without sending me a notice.

First, some facts:

  1. Data came from public sources such as builtwith.com, DNS zones and site frontpages.
  2. The list I published at Oct 11th, was accurate as of Oct 10th.
  3. I have published an updated list as of Oct 12th (also taken offline by Github) that showed that 332 shops had in fact fixed their site since my publication. It also showed that 170 new shops had been compromised.
  4. I wrote about this in 2015. The problem is not solved today, in fact it has nearly doubled.
  5. I have told and stressed to any journalist that the problem is not with a particular type of store software, but due to sloppy maintenance.
  6. I have contacted about 30 merchants directly. I got either no response, or “thanks but we are safe” even though I pointed out the specific malware code on their frontpage.
  7. I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.

I understand that Github doesn’t have the resources to investigate each and every DMCA notice. However, it still took me by surprise that Github censors data so easily.

So I am happy to have moved my data to Gitlab (co-founded by an amazing Dutch guy) today.

Here is an up to date list of compromised stores, which was established 40 minutes ago (Oct 14th).

I understand that if you are a merchant, it is not a pleasure to be on that list. I absolutely agree that publishing a list of compromised stores is a tough measure. However, I think this is better than letting the problem fester (as it has been since 2015). If you have cleaned your store, send me an email (preferably with a Magereport screenshot) and I’d be happy to remove you.

So far, between Oct 10 and Oct 14, 631 stores have been fixed. Great work everybody!

I am the founder of MageReport, a free service to check the security and performance of your store. Get updated on my new posts via Twitter: