Vigilante Justice on GitHub
For years open source projects let you to "Decorate" your contribution graph with fake commit Git histories. But did you know you can graffiti OTHER PEOPLE's GitHub activity? Take for example the banner below I stuck on a few spammers'/phishers' GitHub profiles.
You may know that you can paint funny pixel art on your GitHub activity graph with a simple script, by taking advantage of the fact Git commits can be backdated, and there's no timestamp validation mechanism between Git and GitHub:
This allows a ton of people to essentially plaster any 7x52 pixel billboard on other users without their permission. To make matters worse, as a victim, you can’t remove those commits. That’s not great…
Additionally there's been many cases of GitHub users merging malicious code to repos they don't own, such as the infamous XZ backdoor:
Wouldn't it be great if we could put some kind of warning on these users' profiles, to alert others? You can probably see where this is going.
/cloudfront-us-east-2.images.arcpublishing.com/reuters/HLIQQTUKUBPSRDYXRWI3OZP2MQ.jpg)
