|
I am deep in the rabbit hole of looking into an apparently deeply scammy looking zsh plugin manager called "zi". I think it's an extremely bad idea to use "z-shell/zi" or anything else from the same "creators". There's an entire field of red flags here. 87 comments
Making a rescue fork of an abandoned project is normal (e.g. https://github.com/zdharma-continuum/zinit). You know what's not normal? Creating an organization with the same name as their deleted GitHub username so that anyone who comes to find the old repos finds the projects you now control. Props for making it look creepy as fuck, though. That's not their main org though. Their main org is called...z-shell. This is the first thing that threw me when I stumbled on this—this isn't official zsh docs, but it's all hosted at wiki.zshell.dev, which feels like an attempt to _seem_ official. Here's the site: https://wiki.zshell.dev/ They're good at throwing together believable looking project websites, so long as you focus on the visuals. Lots of flashy imagery (some of these icons are animated, too) to distract from sentences like "Instant prompt postponing plugins loading to a moment when the processing of .zshrc file is finished." Oh, it's not a "wiki" in any sense except that I guess you could submit a PR to it on Github, if you were wondering. So how do you install this? Well it's easy, you just...wait, you WHAT? You um...you add a curl directly to your .zshrc. You're sourcing this from the website _every time you open a shell_. That's gotta be the slowest possible option, to say nothing about the security concerns. That page is a redirect to the init script on Github. At the moment. It sure could change. But if you're concerned about that, they have "verified" installation instructions, and I...I can't even. Just put a hardcoded checksum in your zshrc and if the script you download doesn't match it, refuse to do anything. Why wouldn't you just download the current version? Why constantly re-download it on every shell invocation just to check that it's unchanged? ...I can't even Anyways by this point the picture I have is that the "devs" don't know what they're doing. There's a non-malicious explanation for all of this, and indeed, I think a non-malicious explanation is in order. They're cosplaying as open source developers. Actually building a useful project is hard. Grabbing someone else's, throwing up some flashy pages, and borrowing credibility from other projects with look-alike names is far easier. I wouldn't trust any code from this site, malice or not. Oh, and that ain't all they cosplay as. They also run a "marketing firm" staffed by generic AI faces, for instance. ...I told you I was *deep* in this rabbit hole Let's back up. Who are the devs of zi? Well, they have a "Contributors" doc. Let's take a look. At first glance, it's a lot of them. (yes, I see the project logo. We are going to come back to that. It's a whole separate thing. Seriously.) You're probably not surprised at this point to learn what isn't on the list: any mention of zdharma or the original project this forked off of. You might also be unsurprised to learn that the vast majority of these "contributors" have exactly one commit. It's not even clear to me all of them want their profiles under "Contributors" here, though plenty of them seem kinda scammy. It seems like the real owner of the project is Salvydas Lukosius, aka "ss-o". Salvydas is a busy guy: according to his LinkedIn, he has three jobs, one of which might be his actual job (the other two are scams including the marketing firm I showed earlier). Unshockingly he's real into AI, btw. WiseHub offers "Generative AI to boost your business" on their generic marketing page. We can identify some signatures of Salvydas's on the pages for these businesses, like putting some arbitrary words in all CAPS, including "FAQs" that were clearly generated by an LLM, and my favorite...well, just see for yourself. So what, right? This is all _probably_ harmless, if it's just business cosplay. After all, I can't imagine anyone actually engaging a marketing firm that uses "RESULT$" right on their website. And I have no idea how anyone would find and stumble into these fake businesses. But Salvydas isn't lying about one thing. He's good at "SEO". By which I mean, his project is beating zsh.org itself in my search for "zshell" I can believe that these are script kiddies cosplaying as professionals. I did that when I was a teenager, and I don't have a problem with it. It's harmless fun. But remember when I said I needed to get back to the logo? We need to get back to the logo. Here's a huge version, the only thing on their "Community" page Let's look at it side by side with the official zsh logo, shall we? Well, that's unmistakable right? They just added the "ELL". They're clearly _trying_ to look like the original project. That's enough to tilt this towards being a problem, IMHO. I have no clue what they intend to do with this, but...this is weird. ...And it gets weirder Oh hey, it's the "ZSHELL" version of the logo on the Wikipedia page for zsh. Am I losing my mind? Did the actual zsh project adopt this logo? If yes, is that better or worse? Let's find out. Headline first: no, that is _not_ an official zsh project logo, as far as I can tell. Official zsh pages still have the one that just says zsh. So where did this logo come from? It was added by Wikipedia user Justindorfman in March of 2022: Justindorfman has two contribs to Wikipedia ever. The other one is...changing the bash logo in 2016. ...wat Assuming Justindorfman is the same Justin Dorfman who works at Sourcegraph (https://twitter.com/jdorfman), this might be legitimate. It's sure the first time a name has come up that seems like a real developer. Unfortunately, Twitter is awful now and I can't ask him via DM, not because his DMs are closed but because apparently DMing people who don't follow you is a "premium feature". This mystery has me perplexed, but not enough to give Elmo $10. I wouldn't put it past someone with seven faked LinkedIn profiles and a Github org squatting on the name of a well-known developer who nuked their accounts to register a fake "Justin Dorfman", of course. But the account _is_ from 2016, and Sall's activity seems to have started more recently. ...We're so deep in tangents now and apparently some people are actually reading this, so hello friends! Welcome to the messy maze that is my mind. It won't get more organized, and I'm not sure where it's going, but hopefully you have fun riding along. That blog post is gone now, and unixstickers.com redirects to Sticker Mule. It's days like this I am deeply grateful for the Wayback Machine. If you're reading this and able to, go donate to Internet Archive! They make it possible to actually dig up and uncover stories like this. So the gist of this post is that Justin didn't like how old the Bash logo was, emailed the current maintainer (Chet Ramey), asked if he could redesign it, got told yes, and then put some stickers of the new logo up for sale. I buy this story entirely. I've reached out to maintainers of old, critical projects before and they're usually super responsive and friendly. I suspect Chet didn't care about the logo and saw no harm, and of course, Justin got to sell some stickers. We can clearly see the story isn't the same with the zsh logo. There's no indication anywhere that they have changed the name in their logo from zsh to zshell. Prior to Justin's edit, the zsh page didn't have a logo. Given that he appears to like shell logos and this fake logo from z-shell/zi was already floating around at the time, it's easy to imagine this was just a mistake. But it sure lends even more false credibility to this project. This is more or less where I've ended up, so probably a good time to wrap up this thread. There's more weirdness I saw—"Salvydas" runs several other projects on GitHub for instance, including quite a few under the "digital-clouds" org that is also his, though none seem as popular as zi. It's all pretty similar in form and content, though, and none of it beats the shock I had clicking "about" and seeing six AI generated men staring me down or finding their logo on Wikipedia. The TL;DR is that I wouldn't trust anything from "Salvydas Lukosius" or "ss-o" or "z-shell" or "digital-clouds". At best, they're an inexperienced developer who cares more about looking like an experienced, trusted developer than they do actually becoming one. At worst, they are some kind of scammer. I have yet to take a deeper look into the zi source code, but even without that I can safely say the whole project is extremely sus. @dylnuge Fantastic digging and story. It’s so bizarre that it doesn’t entirely veer into either cosplay or fraud/con, but instead hovers awkwardly in the middle.  @teotwaki it's like setting the stage for something shady that hasn't happened yet... Putting on another tin foil hat on top: perhaps this is a new genre of schemes where potential social FOSS exploits are prepped for the right buyer? I tend to think it's just cosplay and credibility laundering but I'll keep the option open. @dylnuge great investigation and thanks for sharing with receipts!   Ah. I was thinking 'this MUST have some AI junk in it', and it delivers. Thanks for doing the digging   @dylnuge At least the domain name is signed :-) https://botsin.space/@DNSresolver/112225192527013130 @bortzmeyer DNSSEC only really handles DNS MITM attacks; it's not much help if you don't trust the party that owns the domain. FWIW, the DNS configuration all appears to be set up through Cloudflare and nothing stood out to me there (I spent a little while digging there). Security-wise, I'd be much more worried that they change what gets served from init.zshell.dev so that it doesn't match what's on Github, a la a much less sophisticated version of the xz/liblzma attacker.  quickest thing for the developers to shove out. not quickest (or safest) for the end user. @dylnuge heck smh I like being able to use the internet not being chained to a 24/7 connection What a rabbit hole. Thanks for taking the rest of us along for the ride (not to be mistaken for "a ride" 👀).  @dylnuge @fluffykittycat bloody hell, sometimes even having git-related stuff in my zsh prompt slows things down too much. Also wouldn’t your shell stop working if your internet connection was down too? @ret @dylnuge I've been increasingly interested in asynchronous communications systems for operating in difficult situations where your only telecommunications options are microSD cards mailed in envelopes, USB dead drops, Baofengs wired to sound cards, etc. so the idea of my fucking shell needing a internet connection to function is cooked. software developers should be cursed with intermittent internet connections to force them to write software that works in the real world @omnomis Agreed that's part of it, though the -L at the moment also ensures that it follows the 301 to https://raw.githubusercontent.com/z-shell/zi-src/main/lib/zsh/init.zsh where the content actually lives. Practically I'd be far less skeeved out by them using a domain as a shortlink if not for the fact that it's gotta do it every time you open a shell.   @dylnuge @campuscodi filthy casual here that used zi years ago, but no longer do. Can you give some examples of red flags here or things to broadly be on the lookout for? @ogi This is an in-progress whole thread about them! But the TL;DR is that the project appears to be intentionally misleading people into thinking that it's legitimate when there's significant evidence that the developer doesn't know what they are doing and may be running multiple scam businesses on the side. I wouldn't trust the person who runs the project, and by extension, wouldn't trust the project. Thanks for posting all of this information. I'm removing it from the awesome-zsh-plugins list in https://github.com/unixorn/awesome-zsh-plugins/pull/1854 If you run across any other sketchy frameworks or plugins, please let me know, whether by a PR, issue or DM.  Having your shell pull random code from a gazillion GitHub repositories and execute it unsandboxed is in general a red flag. I have no idea how anyone can seriously consider that.  |
Gregory's Server
I'll start with its origin: it's apparently a fork of zinit, which was a project created by zdharma (Sebastian Gniazdowski).
I say apparently because the "fork" was created by bulk importing all the original zinit code: https://github.com/z-shell/zi/commit/2f749f9c3f49d872d4d277a450d36d8a6e64ac08.
This happened a few weeks after zdharma disappeared off the internet and deleted all their repos. That makes it a bit less of a red flag—it might be the only way to rescue the code—but rescue forks should still acknowledge they are forks.
I'll start with its origin: it's apparently a fork of zinit, which was a project created by zdharma (Sebastian Gniazdowski).
I say apparently because the "fork" was created by bulk importing all the original zinit code: https://github.com/z-shell/zi/commit/2f749f9c3f49d872d4d277a450d36d8a6e64ac08.
This happened a few weeks after zdharma disappeared off the internet and deleted all their repos. That makes it a bit less of a red flag—it might be the only way to rescue the code—but rescue forks should...