Is the account "eemailme" following your github projects?

0xDE57 · December 9, 2024, 3:32am

Some users have discovered this strange bot like account following many profiles.

They are following me (all my projects, seemingly automatically). I am just curious if they are following anyone here also.

I don’t care if a bot follows me. We just don’t know what it is. Maybe just a bot training on code?

I don’t know how to look into this. I have not emailed it yet and don’t want to because other in the comments have emailed it and it seems rather fishy.

This may be of some interest to someone in security who looks at weird profiles?

mietzen · December 9, 2024, 5:24am

Could also be a “premium star” account:

0xDE57 · December 9, 2024, 5:31am

Yeah. This is what we are trying to figure out.

Gamifying stars for “trust”.

I thought maybe this could be similar behavior to something like this:

Note to developers, don’t choose a library or framework based on how many likes (stars/watchers) it has.

regulareel · December 9, 2024, 8:35am

Well thats tough, what kind of metric should an enthusiast look out for?

0xDE57 · December 9, 2024, 8:41am

Hmm, It depends on the requirements of the project I suppose. Personally I would choose a library based on its features, documentation, how well its maintained. Not pick a library just because its the most popular when it may not even fit your needs.

If a new library pops up tomorrow with 20k likes with no history that’s a little sus.

I guess you have to evaluate it based on its merit and how long the project has been around?

regulareel · December 9, 2024, 8:43am

Ok so now I have to stalk and do OSInt check on devs as well…

0xDE57 · December 9, 2024, 8:45am

Well, I love open source. But you cant reasonably expect someone to evaluate every line of code. It’s not humanly feasible.

So where does trust come from?

I’ve never looked at a single line of the KDE code, but I trust the project enough to daily drive it based on tons of reviews and history.

mietzen · December 9, 2024, 9:34am

Well if you want to make sure it’s legit / does what it is supposed to do: look at the code.

Unfortunately this isn’t true anymore since chatGPT. Hint: lazy generated “A.I.” code has comments on nearly every line.

0xDE57 · December 9, 2024, 10:02am

someone has has already done a little work.

this thread suggests potentially some links to OpenAI? very strange profile.

github.com/mbostwick/agile-game

Is eemailme a bot who is watching this project ?

opened 12:25AM - 01 Aug 24 UTC

closed 08:56AM - 09 Dec 24 UTC

mbostwick

so I was sharing this project with a friend, and in checking to see the engageme…nt of my agile project I found something strange. A non-human appears to be watching this project. Now I have no confirmed they are part of a bot net yet. I did some research: - https://news.ycombinator.com/item?id=36565842 - https://web.archive.org/web/20230702215522/https://sh.itjust.works/post/580838 - https://github.com/eemailme?tab=achievements I'm going to try direct email. However, I have found people who want to hide things or are bad actors don't respond.

dunno. blocking and moving on for now.

¯\(ツ)/¯

0xDE57 · January 4, 2025, 11:21pm

A new study on this growing problem and pattern:

4.5 Million (Suspected) Fake ⋆ Stars in GitHub:
A Growing Spiral of Popularity Contests, Scams, and Malware

https://arxiv.org/pdf/2412.13459

Previously used as a measure of how good a repository is, GitHub users are now being advised to consider other factors, such as its activity, authenticity and code quality.