There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
In the case of the AUR, I just read the build scripts. Make sure it isn’t deleting my home directory or curling in some shady shit.
Have there actually been meaningful cases of malware sitting out in the open on github?
that’s what a lot of CVEs are
If you can’t feasibly vet the code yourself (I think it is feasible for things like scripts and other small projects) and the star count is low/it’s not already well known and trusted, probably try running in a VM first and look out for signs of it doing things it shouldn’t, e.g. if it’s sending HTTP requests to the internet despite it being a program that should be completely offline. Using things like AppArmor and SELinux to prevent programs from doing things they shouldn’t need to do is also good practice.
Also, the tool itself may be low star count, but is the developer known at all? Someone with any kind of a reputation wouldn’t risk putting malware on their profile.
I suppose you could also look at the list of dependencies of the program. Is it using any libraries that don’t make sense? e.g. with the above, is there some kind of HTTP request library being used for a program that shouldn’t need to access the internet at all?
I think generally the risk is quite low as the author would be hiding their malware in plain sight if the source code is available. They’d have to bet on literally nobody checking. Which is fine for very obscure projects, but if you want your malware to spread, you want a good number of people to use it, at which point someone would presumably look at the code and notice it’s malware.
Even if you do know code, nobody reads all the source code when trying something out.
We still rely largely on trust, and herd protection. Lots of stars on github? Been around for a while? Keeps showing up in “Top lists” and on those posts on social media where people list the foss software they use? Issues get solved reasonably quickly and there’s no ancient and ignored posts on there? It hasn’t changed hands recently to somebody with a new account and no history? It’s probably a good project.
It is still a risk, but a managed one.
Star count.
One thing that can help (more for libraries than large applications) is “dependency cooldowns”. Basically don’t use the latest version of anything until a few weeks after its release. The hope is that most malicious changes or blatant bugs will be caught fairly early.
https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
Validates my feelings as a Debian user
That’s the neat part, you don’t!
You just get to feel marginally safer that there is at least the opportunity for someone out there to do it.
Generally speaking, you need to use social signals: does it seem like other people are using the software? Is it recommended by people you trust? Does the author look legit (other projects, a presence on social media, etc)?
That’s because it’s really easy to hide malware. Developers can’t read an entire codebase, and the codebase of every library required by the tool.
In the ideal scenario, permissions on your home directory are configured appropriately so an attacker can’t do too much damage.
I’m not sure if that’s realistic, however.There have been lots of stories about supply chain attacks that steal developer’s crypto wallets, which is a perfect illustration of the problem.
Edit: running everything in a VM is probably the safest way to deal with untrusted code.
Its not foolproof but one easy way is to use something like Portbox or LittleSnitch to check if it tries to phone home. If internet access isnt reasonably required for it, thats sort of a bad look in my view. If you really need what it does - the internet stuff, make sure its blocked from internet use with one of those apps. Otherwise, try to find one that doesnt do that
If you are a corporation staking thousands or millions of dollars on some code, you hire someone to audit it. If you are a dude playing with apps on your phone, you accept the risk of ingorance.
In theory yes. But as an insider to a company that sells proprietary software…also no. LOL.
They build a lot of their stuff on top of opensource code. There has been the exact same exploits as open source projects, and even a few malware intrusions from either some devs deliberate sabotage or infected machine. Not every giant corporation is checking in depth like you assume they should be, they go on trust to save shareholder profits and if they do an external audit and its a zero day nobody* is catching it.
*there was that one a while back in an unrelated project where the only reason it was caught was a dev nerd noticed the very slight delay in network response compared to previous version. So caught by human feels wrong and not a diff of git
The question being answered was not, “What are the common practices for…?”
If it’s on git and other people are using it with no issues, or it was reccommended by someone you trust, it’s probably fine (the software itself) - that’s not to say the developer could have built something sketchy into the app, or could one day be compromised. It also depends how/where I’m running the apps (on my PC, or on a VM inside a container?) Threat models are different for each.
All of that said, supply chain attacks and sketchy developers selling out could totally be a thing, and you’d get some malware on your computer!
I’d be interested in what other people think/doaboit the OPs question though.
