Nothing subtle, but he was clever in the sense that he managed to stuff a complete injection attack into his single file and included a Google-call in case his script didn't recognize the operating system.
Worth a read not because it's a genius-level hack, but worth to see the breadth-first attempt that the attack takes to utilize a number of strategies. Realizing the number of attack vectors that you have to defend against is key to writing secure code.
In that sense, I wonder if there are other good examples of attack code hosted on github somewhere. Seems like there's as much to learn from "black hat" code attacks as there is from doing code reviews on your own codebase.
Hacks like this are commonly available. Back when I was working with Wordpress more, I saw them a few times. What's kind of cool when you see them is that they're often obfuscated several layers deep, so getting to the code is kind of like a puzzle.
It's already pretty common on any issue or pull request that gets a lot of attention and has an aspect of community drama. The Crockford / semicolon one isn't as bad straight out of the gate (https://github.com/twitter/bootstrap/issues/3057), but still...
Very clever but given Wordpress's security track record when it comes to code exploits I wouldn't have been surprised if this somehow made its way into the core. Good code for learning how some particular Wordpress exploits work.
There was the famous attempt to insert a backdoor in the Linux sourcetree[1]. That wasn't quite the same as it wasn't a pull request (or equivalent), was instead done by directly modifying the CVS mirror of the BitKeeper sourcetree.
It happened to UnrealIRC a few years back. The tarball on their website was adulterated to include a backdoor and the published checksums were altered too. They've since moved to cryptographic signatures for verification.
Instead of focusing on the pull request maybe we should think about better vulnerability trajectories. Next time don't make a pull request. Just fork the project, add some dumb feature someone will want or need, then leave your fork out there on Github. Morons will pull it down and use it without ever checking the code.
So he just put in a remote shell and removed the actual code? I've found a couple remote shell scripts on my server over the years as they got compromised, I was always impressed with how much they could really do from 1 file to my server. Scary stuff.
This is the programming equivalent of a politician embezzling money by writing a law that says "I get ten percent of all the money!" and asking everyone to pass it.
That's actually correct - 'an' before a sounded 'h' is a style issue in American English, and still commonly used. In nearly every other English dialect it is a strict rule.
They caught this one because it was an obvious attempt, but their track history sucks.
Mocking evil hackers is a very stupid idea.
Oh and I believe they tried this because someone was successful in the past if I remember correctly.