21
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 17 Jan 2026
21 points (95.7% liked)
Asklemmy
52218 readers
533 users here now
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- !lemmy411@lemmy.ca: a community for finding communities
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~
founded 6 years ago
MODERATORS
If you can't feasibly vet the code yourself (I think it is feasible for things like scripts and other small projects) and the star count is low/it's not already well known and trusted, probably try running in a VM first and look out for signs of it doing things it shouldn't, e.g. if it's sending HTTP requests to the internet despite it being a program that should be completely offline. Using things like AppArmor and SELinux to prevent programs from doing things they shouldn't need to do is also good practice.
Also, the tool itself may be low star count, but is the developer known at all? Someone with any kind of a reputation wouldn't risk putting malware on their profile.
I suppose you could also look at the list of dependencies of the program. Is it using any libraries that don't make sense? e.g. with the above, is there some kind of HTTP request library being used for a program that shouldn't need to access the internet at all?
I think generally the risk is quite low as the author would be hiding their malware in plain sight if the source code is available. They'd have to bet on literally nobody checking. Which is fine for very obscure projects, but if you want your malware to spread, you want a good number of people to use it, at which point someone would presumably look at the code and notice it's malware.