Posted an issue. Someone apparently on Github (it looked like a totally legitimate page https://github.com/NeonRST
) suggested I download and install something from a link they provided. I said no thank you, I don’t install things I don’t know what they are, and five minutes later that page and the post were gone.
Beware!
Edit: It seems that many of you were seduced by the link above to click on it. Of course, it was in the meantime deleted and hence is dead. I fixed that.
11 Likes
I’ve seen this as well on a couple of repos, reported it to Github and deleted it. This seems to be pretty prevalent across communities, I’ve seen quite a few maintainers mention this kind of thing.
2 Likes
Where does one report this?
You can report it to Github while the code is there, but the best they can do is remove it, so it if is gone then that’s it.
In theory your local police may have a cybercrime unit, but they usually focus on larger crimes. Unless you were actually scammed, lost money, or had a security breach with access to sensitive data, they may not prioritize it as these scam attempts are very common and the perpetrators are difficult to track.
Right. But at the least, Github could try to make it more difficult to create fake personas/profiles?
First reporting then deleting is probably better, as github can also delete entirely the account. If you only delete without reporting they probably won’t do anything about it.
1 Like
I think it would be perfectly adequate if Github mandated a delay of a few days for the creation and deletion of a profile. If a profile can be deleted right away, there is no time for someone to report that profile for malfeasance. Similarly, if profile creation does not cost any time, a window is opened for someone to create one on the fly to fit a purpose.
Welcome to the internet, where nobody is a real person. Seriously, though, combating bots and/or bad behavior is hard. I expect that it was GitHub who deleted that account due to the bad behavior. And it seems they did it right quick. I suppose the bad actor could’ve done it themselves to avoid detection, but I’d be very surprised — that limits the scope and duration of their attack.
Any large site needs to deal with this. I’m sure there are multiple engineers constantly working on it at GitHub.
2 Likes
That is precisely what is counterproductive here (if indeed it was Github itself; in this case I believe it was the malfeasant, since my comment indicated I was unto him/her). Not deleting that account, just disabling it or labeling it as malicious, would allow those that were harmed to demand redress.
I am pretty sure they still have all the info in their logs if you want to go to court about this, but practically, even if you find the perpetrator, it is unlikely that you will be able to collect anything. So I would just ignore it and move on.
I am not saying that I want to pursue this action. I am saying that introducing the profile creation/deletion delay at Github would potentially save a lot of headaches to a lot of people.
Github deletes the account if someone reports it.
Possibly, but at the same time it would also have costs for well-meaning users (delays) and Github (user frustration). The net benefit is unclear; malicious users could just create accounts in advance.
It seems that the basic problem is getting a message that was about downloading and running something unknown on your system. Github is not the only channel for that (it could happen on various forums, including this one).
It is best to just assume that every single online persona you are interacting with could be potentially malicious. Even acounts who have some history on a site, or someone you have interacted with in the past could be hiding someone with harmful intentions (accounts are occasionally hijacked). Just never run untrusted code.