Weaponizing the Commons: A Taxonomy and Detection Framework of Abuse on GitHub

TL;DR

This paper presents a comprehensive taxonomy and a high-performance detection framework for abuse behaviors on GitHub, enhancing understanding and security of the platform's software supply chain.

Contribution

It introduces a new taxonomy of GitHub abuse behaviors and a unified detection framework evaluated with high accuracy on a curated dataset.

Findings

The dataset includes 392 labeled GitHub abuse instances.

The detection framework achieves F1-scores exceeding 89%.

The taxonomy covers diverse abuse symptoms and root causes.

Abstract

GitHub plays a critical role in modern software supply chains, making its security an important research concern. Existing studies have primarily focused on CI/CD automation, collaboration patterns, and community management, while abuse behaviors on GitHub have received little systematic investigation. In this paper, we systematically review and summarize reported GitHub abuse behaviors and conduct an empirical analysis of publicly available abuse cases, curating a manually labeled dataset of 392 GitHub instances. Based on this investigation, we propose a comprehensive taxonomy that characterizes their diverse symptoms and root causes from a software security perspective. Building on this taxonomy, we develop a unified detection framework capable of identifying all abuse categories across repositories and user accounts. Evaluated on the constructed dataset, the proposed framework achieves high performance across all categories (e.g., F1-score exceeding 89%). Collectively, this work advances the understanding of GitHub abuse behaviors and lays the groundwork for large-scale, systematic analysis of the GitHub platform to strengthen software supply chain security.