Possible to ve

[oliverhausler]

Select Topic Area

Question

Body

Without actually analysing the code, is it possible to verify the claim made by a user in this public repo when

• the dependency graph is disabled, and
• the network is only showing the 50 latest commits?

The repo could be hacking activity.

[shivrajcodez]

No — not reliably.

[jlceaser]

Short answer: Very limited, but not impossible. Here's what you can and can't do without code analysis:

What you CAN check without analyzing code:

• Commit history metadata — Author names, emails, timestamps, commit
  message patterns. Look for suspicious signs like bulk commits,
  inconsistent author info, or commits backdated to unusual times.
• File names and structure — Even without reading the code, file names
  and directory structure can reveal intent (e.g., tools commonly
  associated with malicious activity).
• Commit frequency and patterns — Irregular bursts of activity,
  force-pushes rewriting history, or suspiciously clean linear history
  can be red flags.
• Stars, forks, and watchers — A repo with suspicious content but high
  engagement might indicate social engineering. Zero engagement on a
  "popular" claim is also telling.
• README and description — Often reveals the stated purpose, which you
  can cross-reference with the file structure.
• Contributors and profiles — Check if the contributors have legitimate
  activity history or are freshly created accounts.

What you CAN'T reliably do:

• Verify behavior claims — Without reading the code, you cannot confirm
  what the software actually does vs. what the author claims it does.
  This is the core limitation.
• With only 50 commits visible in the network graph — You're missing
  the full history. Malicious changes could have been introduced in
  earlier commits that are no longer visible in the network view.
• With dependency graph disabled — You can't see what external packages
  the code pulls in. This is a significant blind spot, as malicious
  dependencies are a common attack vector.

Bottom line:

Metadata and structure can raise or lower your suspicion level, but
they cannot substitute for actual code review when the claim is about
what the code does. If you genuinely suspect malicious activity:

1. Report it — Use GitHub's
   https://support.github.com/contact/report-abuse to flag the repo
2. Don't clone or run it — If you suspect it's malicious, don't execute
   anything from it
3. The disabled dependency graph is itself a yellow flag — Legitimate
   projects generally benefit from having it enabled

Without code analysis, you're essentially judging a book by its cover —
useful for initial triage, but not for verification.

[oliverhausler]

Thanks for the extensive response. I have reported it as possible exploit, so GitHub can check on it.