I found 10k GitHub repositories distributing Trojan malware

You can generate "pronounceable" passwords in some tools. 1PW just generated this for me: mimp-rort-jan-mon-kain-sqin Not as much entropy as 24 random letters/digit/punctuations/capitalisation. But (for me at least) much easier to read end type in situations where copy/paste isn't available (like from my phone to my dev docker containers)

I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.

> the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code? The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000…

That's not a distinction that people really benefit from. Approximately nobody can read other people's code for intent or quality, let alone to surface malware meant to be hidden in it. For almost everyone, the only hope is that somebody else validated the code you want to use before you choose to use it and successfully interfered with its distribution upon finding an issue. That's why the culture of automatic-updating package managers and bloated dependency graphs are so dangerous and why in…