These are practical triage signals for maintainers, security engineers, and agentic SDLC platform builders.
.exe, .dll, .scr, .ps1, .bat, .cmd, .js, .vbs, .jar, .sh, ELF, Mach-O, or PE payload.curl | bash, npm install, pip install, cargo run, chmod +x, or direct execution.These queries are intended for defensive triage. Tune organization and repository filters before use.
org:YOUR_ORG is:issue is:open "fix.zip"
org:YOUR_ORG is:issue is:open "core_fix"
org:YOUR_ORG is:issue is:open "attached" "zip"
org:YOUR_ORG is:issue is:open "run this" "zip"
org:YOUR_ORG is:issue is:open "validator" ".exe"
org:YOUR_ORG is:issue is:open "hotfix" ".zip"
org:YOUR_ORG is:pr "download" "zip"
org:YOUR_ORG "chmod +x" "issue comment"
Use the GitHub CLI to enumerate potentially relevant issue comments without downloading attachments:
gh issue list --repo OWNER/REPO --state all --search "zip in:comments"
gh issue list --repo OWNER/REPO --state all --search "\"fix.zip\" in:comments"
gh issue list --repo OWNER/REPO --state all --search "\"core_fix\" in:comments"
gh pr list --repo OWNER/REPO --state all --search "\"download\" \"zip\" in:comments"
Review comment text and provenance first. Do not fetch or open artifacts during broad search.
Flag an archive when:
.. path components;/, \, drive letters, or UNC paths;.github, .vscode, .config, or startup/task locations;Flag a binary when static inspection shows:
VirtualProtect, VirtualAlloc, WriteProcessMemory, CreateRemoteThread, LoadLibrary, GetProcAddress, GetUserNameA/W, Crypt*, WinHttp*, or Internet* imports;WriteFile, WriteConsoleW, VirtualQuery, VirtualFree, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry.When these signals appear, reject the artifact path and request a normal source diff through a trusted contribution route. If execution occurred, treat the host as potentially compromised.