A year ago a similar attack was reported and I think that there have been similar campaigns reported this year: https://github.com/evilsocket/opensnitch/discussions/1290#di...

  - This is a new repository, not a fork
  - All repositories have different contributors and different names
  From the last two points, it becomes clear that even if we find one such repository, we won’t be able to find other similar repositories using it.

In previous campaigns the repositories were linked to a few users. But those users had starred other users, that at the same time had also cloned other repositories with the malware. Sometimes the malicious repository had been cloned from another malicious repo, and if you listed the repositories and "friends" of that user, all were part of the botnet.

Also, github doesn't delete repositories and accounts, they mark them as deleted. If you use their api you can still list them.