All of the links to Slurp in books, tweets, etc. point specifically to “github.com/bbb31/slurp” — the repo named “slurp” owned by the user named “bbb31”. With the bbb31 account now deleted, what’s stopping someone from simply registering a new account with the same name and creating another repo named “slurp”?

Nothing!

Github user bbb31, back from the dead

Within about 5 minutes I was the owner of a brand new account named “bbb31” and had created a repository named “slurp”. Now all of the blog posts, tweets, etc. pointed to whatever code I wanted. The next time someone cloned and blindly ran the code off Github, it could be whatever code I wanted.

The new source code for Slurp

From August 14th to August 27th, 27 people have cloned the repository. Hundreds more have visited the page, thanks to referrals by theregister.co.uk and others. These are all people that could have been victims of malware, due to the lack of account re-use protections in place by Github.