Hi @affaan-m — heads-up from a security audit we ran around ECC's clone wave. One public re-upload of this repo is distributing malware to your would-be users.

The repo: arabicapp/everything-claude-code (deliberately not hyperlinked). It's a full re-upload (not a GitHub fork, fork: false, created 2026年01月29日) that copies your repo description, but replaces the README with a fake "Visit Here to Download" landing page pointing at a ZIP committed inside the repo itself.

What the ZIP contains (listed/stream-read via unzip -l / unzip -p, never executed):

docs/code_everything_claude_3.3.zip
 Launch.bat 30 B -> "start luajit.exe x64.txt"
 luajit.exe 878 KB
 x64.txt 307 KB (heavily obfuscated Lua payload)

A second archive under docs/zh-TW/skills/postgres-patterns/ repeats the pattern (Launcher.bat -> start luajit.exe clx.txt, bundled lua51.dll). The README explicitly targets "non-technical users" and tells them to double-click the installer — i.e. exactly the audience a 213k-star repo pulls in. None of these files or instructions exist anywhere in your history (verified).

Status: We reported it to GitHub Trust & Safety ("Active Malware or Exploits") on 2026年06月12日; it was still live when we filed this issue. We also provenance-checked ~300 name-matching re-uploads via the GitHub API — every other one came back as a clean stale copy, translation, or port. Full method and findings: https://dev.to/joergmichno/we-audited-the-viral-213k-star-everything-claude-code-repo-and-found-a-malware-clone-in-the-wild-14hb

Suggested action: consider a short pinned notice (README or pinned issue) stating the only official sources are this repo and your official npm packages — the fake-download clone exists precisely because that statement currently lives nowhere.

Happy to share the full evidence dossier if useful. (Disclosure: we build AI-agent security tooling and wrote the linked audit.)