There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
There are oodles of neat and singular programs on github and similar. Curious what steps people take to vet for malware before downloading and trying stuff, especially if you’re not very familiar with the coding language it’s written in.
If you can’t feasibly vet the code yourself (I think it is feasible for things like scripts and other small projects) and the star count is low/it’s not already well known and trusted, probably try running in a VM first and look out for signs of it doing things it shouldn’t, e.g. if it’s sending HTTP requests to the internet despite it being a program that should be completely offline. Using things like AppArmor and SELinux to prevent programs from doing things they shouldn’t need to do is also good practice.
Also, the tool itself may be low star count, but is the developer known at all? Someone with any kind of a reputation wouldn’t risk putting malware on their profile.
I suppose you could also look at the list of dependencies of the program. Is it using any libraries that don’t make sense? e.g. with the above, is there some kind of HTTP request library being used for a program that shouldn’t need to access the internet at all?
I think generally the risk is quite low as the author would be hiding their malware in plain sight if the source code is available. They’d have to bet on literally nobody checking. Which is fine for very obscure projects, but if you want your malware to spread, you want a good number of people to use it, at which point someone would presumably look at the code and notice it’s malware.