Skip to content

docs(security): report on kilocode-agent/kilocode-2.0 impersonation repository#1717

Open
kilo-code-bot[bot] wants to merge 1 commit intomainfrom
security/kilocode-agent-impersonation-report
Open

docs(security): report on kilocode-agent/kilocode-2.0 impersonation repository#1717
kilo-code-bot[bot] wants to merge 1 commit intomainfrom
security/kilocode-agent-impersonation-report

Conversation

@kilo-code-bot
Copy link
Copy Markdown
Contributor

@kilo-code-bot kilo-code-bot bot commented Mar 30, 2026

Summary

Analysis of the GitHub repository kilocode-agent/kilocode-2.0 confirms it is a malicious impersonation of Kilo Code. Key findings:

  • Brand impersonation: The org name kilocode-agent, repo name kilocode-2.0, and README all falsely claim affiliation with Kilo Code, using SEO-optimized topics like kilocode, download-kilocode, install-kilocode.
  • Source code stolen from OpenCode: The entire TypeScript source tree is copied verbatim from anomalyco/opencode (132k stars). All internal identifiers, window titles, menus, and imports reference "OpenCode" — not Kilo Code or anything related.
  • Unverifiable binary payload: The primary attack vector is a 89 MB .7z archive (Kilocode_2_x64.7z) in GitHub Releases that cannot be built from the published source (no package.json, no build scripts, no CI). This binary could contain malware.
  • Social engineering: The README fabricates features ("Smart Loop Breaker", "Budget Dashboard") to lure downloads, with a comparison table positioning the fake as superior to "Official Kilocode."

The report recommends filing a GitHub abuse report, DMCA takedown, user warnings, and sandbox analysis of the binary.

Verification

  • All repository contents inspected remotely via gh api /repos/kilocode-agent/kilocode-2.0/contents/... — no code was cloned locally
  • Verified source is from OpenCode by comparing identifiers, imports, and references across all source files
  • Confirmed the release binary cannot be reproduced from source (no package.json, no build config)
  • Verified the org kilocode-agent was created on the same day as all commits (2026-03-13)

Visual Changes

N/A

Reviewer Notes

  • The binary Kilocode_2_x64.7z in GitHub Releases should be submitted to VirusTotal for analysis before any further action.
  • The report is at security-reports/2026-03-30-kilocode-agent-impersonation.md.
  • Consider filing a GitHub abuse report at https://github.com/contact/report-abuse and a DMCA takedown for trademark infringement.

@kilo-code-bot
Copy link
Copy Markdown
Contributor Author

kilo-code-bot bot commented Mar 30, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 files)
  • security-reports/2026-03-30-kilocode-agent-impersonation.md

Reviewed by gpt-5.4-20260305 · 76,790 tokens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants