There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
Generally speaking, you need to use social signals: does it seem like other people are using the software? Is it recommended by people you trust? Does the author look legit (other projects, a presence on social media, etc)?
That’s because it’s really easy to hide malware. Developers can’t read an entire codebase, and the codebase of every library required by the tool.
In the ideal scenario, permissions on your home directory are configured appropriately so an attacker can’t do too much damage.
I’m not sure if that’s realistic, however.There have been lots of stories about supply chain attacks that steal developer’s crypto wallets, which is a perfect illustration of the problem.
Edit: running everything in a VM is probably the safest way to deal with untrusted code.