Yet another “brilliant” scheme from a cryptobro. Naturally this caused a gold-rush for scammers who outsourced random people via the gig economy to open PRs for this yml file (example)

  • ezchili@iusearchlinux.fyi
    link
    fedilink
    arrow-up
    1
    ·
    10 months ago

    That’s insane

    Also lol at the people getting mad at the tea maintainer for “name calling” the guy hired to write up the scam PR

    Gig economy or not this idiot should have known better

    • db0@lemmy.dbzer0.comOP
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Lol classic reply from the monkey pfp “I didn’t know, I’m sorry, please don’t ban me, sir”. These fuckers know exactly what they’re doing seeing from how they obfuscated the pr purpose, and act all ignorant when caught. It’s exactly the same behaviour game cheaters exhibit when caught red handed

  • Kusimulkku@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    10 months ago

    which should prevent idiots like @onedionys from being able to figure out how to create the file.

    Wow, slow down @mxcl. Calling people names is not constructive not warranted here.

    Lmao fuck off

  • redcalcium@lemmy.institute
    link
    fedilink
    arrow-up
    1
    ·
    10 months ago

    It’s hilarious that PR author in that example has monkey profile pic. I guess what people are saying about never trusting people with monkey pfp is true.

  • frezik@midwest.social
    link
    fedilink
    arrow-up
    1
    ·
    10 months ago

    Actually, I only want to add one file, tea.yml, to your repository. Because I have a job that requires uploading the file and I also don’t know what it is used for.

    So you want me to merge a file you use on your job and you don’t know what it does?

    I see no issue. Merged!

  • toastal@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    10 months ago

    The easy red flag here is YAML. It’s a hideous, overly-complex format for anything so of course a scam would choose it.

    • sep@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      I see you get downvoted a lot. But as a norwegian that repeatedly have run into the norwegian problem when trying to use some program… i see you.

    • umbraroze@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Brief history of YAML:

      “Oh no! All of these configuration file formats are complicated. I want to make things simpler!”

      (Years go by)

      “…I have made things more complicated, haven’t I?”

      YAML is generally good if it’s used for what it was originally designed for (relatively short data files, e.g. configuration data). Problem is, people use it for so much more. (My personal favourite pain example: i18n stuff in Ruby on Rails. YAML language files work for small apps, but when the app grows, so does the pain.)

  • nayminlwin@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    I’ve seen video ads claiming to show you a way towards passive income from other people’s videos somehow. Now it’s coming to open source projects…

    • towerful@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Ive seen an uptick in twitch users offering graphics packs for streamers.
      I presume some company has figured out the prompts to get AI generated emote packs, and now hire people to offer this service randomly to small/medium streamers.

  • SwingingKoala@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    If you think “crypto” people came up with this I have bad news for you, spamming is as old as the internet, and adding ads to repos is not new. Btw, “cryptobro” is a sexist term that excludes women.

    • Evkob@lemmy.ca
      link
      fedilink
      arrow-up
      0
      ·
      10 months ago

      Btw, “cryptobro” is a sexist term that excludes women.

      I’m usually that person getting downvoted for insisting on inclusive language so I totally get you, but girl I’ve never met a cryptobro who wasn’t a man.

    • Omega_Haxors@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      10 months ago

      Admins please include instance blocking for comments, thanks. No instance ending in .de ever has anything of value to say.

  • Rob Bos@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    10 months ago

    Honestly doesn’t sound like a terrible idea on paper, but this spam outbreak could kill it before it gets off paper in a real way. Giving devs a bad taste will stay around a long while.

    Edit: and of course the well-earned general attitude toward cryptocurrency as scammer playgrounds is automatically putting it way in the red too.

    • FlumPHP@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      Dude also used a LLM to generate descriptions for the packages he’s serving from his package manager. And of course, it got them wrong, creating a headache for the actual package maintainers

    • mosiacmango@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      10 months ago

      He’s probably interested in blocking these kinds of PR’s.

      He is now that people are spamming the high profile projects he used as examples in his “get paid” cryptobro scam videos and it’s pissing people off in the FOSS communities hes trying to worm the project into.

      Hilariously, he stated that he would be really unhappy if people were doing this to his actual FOSS projects, which makes me wonder why he didn’t use them in his examples instead of the completely unrealted Node.js and ghost projects.

      Its almost like he made himself getting rich someone else’s problem. Totally unlike crypt bro behaviour, of course.

  • tranxuanthang@lemm.ee
    link
    fedilink
    arrow-up
    0
    ·
    10 months ago

    It’s sad that a lot of the username come from Vietnam (my country). I remember when the Stellar airdrop announced there were people trying to buy GitHub account for 3-5$ for “their company’s project”. Many people do the thing that called “MMO” like that here, that doesn’t realistically provide any value. They just want to get rich as fast as possible with only simple jobs such as copy and paste.

    • flying_sheep@lemmy.ml
      link
      fedilink
      arrow-up
      0
      arrow-down
      1
      ·
      10 months ago

      I greatly respect the way Vietnam has put things like stable rice prices over Western money. As far as I understand it, this allows for a society where nobody lives in abject poverty. But it also prevents people from getting rich quick by milking their own people. So if I got all of this right, it’s not surprising that some people encountered the idea of getting rich quick through the Internet and try that now.

      • chebra@mstdn.io
        link
        fedilink
        arrow-up
        1
        ·
        10 months ago

        @flying_sheep

        > nobody lives in abject poverty. But it also prevents people from getting rich quick by milking their own people

        lol… no… not at all

          • chebra@mstdn.io
            link
            fedilink
            arrow-up
            1
            ·
            10 months ago

            @flying_sheep probably yes, but if you are looking for a country where people are not living in poverty, where the state takes good care about them or where scammers can’t get rich quick, then Vietnam is unfortunately not it.

  • CrayonRosary@lemmy.world
    link
    fedilink
    arrow-up
    0
    arrow-down
    1
    ·
    10 months ago

    Am I stupid? How is this in any way confusing?

    I kept re-reading this line and it made no sense. All I need to do to claim ownership of a project is merge a pull-request? Do I own Laravel because I’ve gotten a pull request merged? (emphasis mine)

    Merging a pull request and having a pull request merged are two completely different things, and one very much requires you to own the project or have contributor rights to it. Which is exactly what the scammer is looking for proof of.

    How was the author confused by this? Or am I somehow the dummy here?

    • chebra@mstdn.io
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      @CrayonRosary having a pull request merged is in no way a proof of ownership of the repo, or a sign that the owner wants to participate in this scheme. There are better ways to prove ownership. It’s relatively easy to slip in some file unnoticed, or falsely explain during the PR process what the file represents. So choosing this way of validation is a huge red flag about the whole scheme. It motivates people to falsely claim ownership of popular repos.