So it’s basically a malware

Holy shit. This is so bad. That’s my entire September gone… I actually fought internally for my company to donate to this and a couple of other projects, but I guess this one is off the donation list at this point.

Sounds like the dev was unsatisfied with the low sponsorship numbers on his project, which when you consider how many devs only ever interact with Moq via the package manager or command line might be a fair complaint…but the decision to just start harvesting user data like a lowlife as an alternative source of income is some galaxy brain shit.

It’s not like this would even be sustainable. What did he think was going to happen, devs would just blindly accept a new shady looking package appearing in their dependency stack with no further investigation?

As a result of this stupidity Moq will now be on the shit-list of every corporation using .NET, especially those based in Europe due to GDPR implications.

Man fuck that

This is not the first time it happens with Dotnet Open Source packages, there are some pretty funky things going on namely:

Imagesharp (They re-license from Apache 2 to something like Community/Commercial licenses and threw a huge fit over it)

Fody (It expects the software contributors of Fody to be a patron.)

I knew that software supply chain dependency poisoning was increasing becoming a problem with open source, I just didn’t expect it to be from the original creator.