I am deep in the rabbit hole of looking into an apparently deeply scammy looking zsh plugin manager called "zi".
I think it's an extremely bad idea to use "z-shell/zi" or anything else from the same "creators". There's an entire field of red flags here.
I'll start with its origin: it's apparently a fork of zinit, which was a project created by zdharma (Sebastian Gniazdowski).
I say apparently because the "fork" was created by bulk importing all the original zinit code: https://github.com/z-shell/zi/commit/2f749f9c3f49d872d4d277a450d36d8a6e64ac08.
This happened a few weeks after zdharma disappeared off the internet and deleted all their repos. That makes it a bit less of a red flag—it might be the only way to rescue the code—but rescue forks should still acknowledge they are forks.
Making a rescue fork of an abandoned project is normal (e.g. https://github.com/zdharma-continuum/zinit).
You know what's not normal? Creating an organization with the same name as their deleted GitHub username so that anyone who comes to find the old repos finds the projects you now control.
Props for making it look creepy as fuck, though.
That's not their main org though.
Their main org is called...z-shell. This is the first thing that threw me when I stumbled on this—this isn't official zsh docs, but it's all hosted at wiki.zshell.dev, which feels like an attempt to _seem_ official.
Here's the site: https://wiki.zshell.dev/
They're good at throwing together believable looking project websites, so long as you focus on the visuals. Lots of flashy imagery (some of these icons are animated, too) to distract from sentences like "Instant prompt postponing plugins loading to a moment when the processing of .zshrc file is finished."
Oh, it's not a "wiki" in any sense except that I guess you could submit a PR to it on Github, if you were wondering.
The project is a plugin manager for zsh, because that's what zinit was, though they don't make that clear here.
There's a minute long asciinema on the page of the installer script running, which shows that they like flashy colorful outputs but doesn't really give me any impression of the claimed "speed" (https://asciinema.org/a/509113). Why would this be your "see it in action"?
Also their install script starts with "Installing interactive feature-rich plugin manager (z-shell/zi)". Gotta love that.
So how do you install this?
Well it's easy, you just...wait, you WHAT?
You um...you add a curl directly to your .zshrc. You're sourcing this from the website _every time you open a shell_.
That's gotta be the slowest possible option, to say nothing about the security concerns.
That page is a redirect to the init script on Github. At the moment. It sure could change.
But if you're concerned about that, they have "verified" installation instructions, and I...I can't even.
Just put a hardcoded checksum in your zshrc and if the script you download doesn't match it, refuse to do anything.
Why wouldn't you just download the current version? Why constantly re-download it on every shell invocation just to check that it's unchanged?
...I can't even
Anyways by this point the picture I have is that the "devs" don't know what they're doing.
There's a non-malicious explanation for all of this, and indeed, I think a non-malicious explanation is in order. They're cosplaying as open source developers.
Actually building a useful project is hard. Grabbing someone else's, throwing up some flashy pages, and borrowing credibility from other projects with look-alike names is far easier.
I wouldn't trust any code from this site, malice or not.
Oh, and that ain't all they cosplay as.
They also run a "marketing firm" staffed by generic AI faces, for instance.
...I told you I was *deep* in this rabbit hole
Let's back up. Who are the devs of zi?
Well, they have a "Contributors" doc. Let's take a look.
At first glance, it's a lot of them.
(yes, I see the project logo. We are going to come back to that. It's a whole separate thing. Seriously.)
You're probably not surprised at this point to learn what isn't on the list: any mention of zdharma or the original project this forked off of.
You might also be unsurprised to learn that the vast majority of these "contributors" have exactly one commit. It's not even clear to me all of them want their profiles under "Contributors" here, though plenty of them seem kinda scammy.
It seems like the real owner of the project is Salvydas Lukosius, aka "ss-o".
Unshockingly he's real into AI, btw. WiseHub offers "Generative AI to boost your business" on their generic marketing page.
We can identify some signatures of Salvydas's on the pages for these businesses, like putting some arbitrary words in all CAPS, including "FAQs" that were clearly generated by an LLM, and my favorite...well, just see for yourself.
So what, right? This is all _probably_ harmless, if it's just business cosplay.
After all, I can't imagine anyone actually engaging a marketing firm that uses "RESULT$" right on their website. And I have no idea how anyone would find and stumble into these fake businesses.
But Salvydas isn't lying about one thing. He's good at "SEO".
By which I mean, his project is beating zsh.org itself in my search for "zshell"
This is how I found it. I was searching for some info on zprof, because what better to do with my weekend than track down the slowness in my prompt, and I came across this "Benchmarking" page: https://wiki.zshell.dev/docs/guides/benchmark
At first, I didn't quite register what I was looking at. The site appeared legit, and I wondered if there was an official zsh wiki now or something. Sure, the writing is bad, but it's a wiki!
The reference to "zi" made it clear it wasn't for zsh proper, but it had me for a second.
I can believe that these are script kiddies cosplaying as professionals. I did that when I was a teenager, and I don't have a problem with it. It's harmless fun.
But remember when I said I needed to get back to the logo? We need to get back to the logo.
Here's a huge version, the only thing on their "Community" page
Let's look at it side by side with the official zsh logo, shall we?
Well, that's unmistakable right? They just added the "ELL". They're clearly _trying_ to look like the original project.
That's enough to tilt this towards being a problem, IMHO. I have no clue what they intend to do with this, but...this is weird.
...And it gets weirder
Oh hey, it's the "ZSHELL" version of the logo on the Wikipedia page for zsh.
Am I losing my mind? Did the actual zsh project adopt this logo? If yes, is that better or worse?
Let's find out.
Headline first: no, that is _not_ an official zsh project logo, as far as I can tell. Official zsh pages still have the one that just says zsh.
EDIT: This was incorrect; it's an alternate version of the official zsh project logo.
So where did this logo come from?
It was added by Wikipedia user Justindorfman in March of 2022:
https://en.wikipedia.org/w/index.php?title=Z_shell&oldid=1078941115
EDIT: When I originally wrote this, I was in the process of investigating and not yet sure of the details, but ultimately what happened here is boring and straightforward: "Salvydas" grabbed a version of the zsh logo off Wikipedia and used it without permission. Justin has since reached out and confirmed this; thanks Justin!
Assuming Justindorfman is the same Justin Dorfman who works at Sourcegraph (https://twitter.com/jdorfman), this might be legitimate. It's sure the first time a name has come up that seems like a real developer.
Unfortunately, Twitter is awful now and I can't ask him via DM, not because his DMs are closed but because apparently DMing people who don't follow you is a "premium feature".
This mystery has me perplexed, but not enough to give Elmo $10.
Anyways. Regardless of whether the Justin account is the same Justin Dorfman, this Wikipedia user seems to be pretty fine making a self-serving change.
His edit adding the Bash one back in 2016 says this:
"I updated the GNU Bash logo to the latest. You can read the history here: http://www.unixstickers.com/blog/new-home-for-bash-stickers-justin-dorfman-guest-post also used by Chet Ramey's Bash page: http://tiswww.case.edu/php/chet/bash/bashtop.html"
Hmm.....
That blog post is gone now, and unixstickers.com redirects to Sticker Mule.
It's days like this I am deeply grateful for the Wayback Machine.
If you're reading this and able to, go donate to Internet Archive! They make it possible to actually dig up and uncover stories like this.
This is a guest post by Justin Dorfman. He heads Developer Relations and Open Source outreach at MaxCDN. This year (May 19th 2016) he will be speaking at OSCON in Austin. More info on that below. In late September of 2015 I was looking at the back of my laptop and was irritated. Ca.
So the gist of this post is that Justin didn't like how old the Bash logo was, emailed the current maintainer (Chet Ramey) and asked to redesign it. I buy this story entirely. I've reached out to maintainers of old, critical projects before and they're usually super responsive and friendly.
EDIT: As confirmed by Justin below, this was entirely legit and not associated with any of the rest of the thread at all.
We can clearly see the story isn't the same with the zsh logo. There's no indication anywhere that they have changed the name in their logo from zsh to zshell.
Prior to Justin's edit, the zsh page didn't have a logo. Given that he appears to like shell logos and this fake logo from z-shell/zi was already floating around at the time, it's easy to imagine this was just a mistake.
But it sure lends even more false credibility to this project.
This is more or less where I've ended up, so probably a good time to wrap up this thread.
There's more weirdness I saw—"Salvydas" runs several other projects on GitHub for instance, including quite a few under the "digital-clouds" org that is also his, though none seem as popular as zi.
It's all pretty similar in form and content, though, and none of it beats the shock I had clicking "about" and seeing six AI generated men staring me down or finding their logo on Wikipedia.
The TL;DR is that I wouldn't trust anything from "Salvydas Lukosius" or "ss-o" or "z-shell" or "digital-clouds".
At best, they're an inexperienced developer who cares more about looking like an experienced, trusted developer than they do actually becoming one.
At worst, they are some kind of scammer.
I have yet to take a deeper look into the zi source code, but even without that I can safely say the whole project is extremely sus.
Huge thanks to everyone who has enjoyed this! I appreciate all of you and hope you are having wonderful weekends.
This was a pretty as-I-found-it braindump. Some follow-ups:
First, as noted by @misty, it's quite likely the "zshell" logo is a legitimate project logo, but just not in active usage anywhere.
Second, is this malicious? I'm really not sure. I don't *think* so. Most things here can be explained by inexperience and a desire to look legit. But there's a lot of weirdness.
Even if it's "just" inexperience, the way it's all set up seems to indicate the plagiarism is intentional. They don't want people noticing it's a clone of zdharma/zinit.
Many of you have found potential exploits—like the redownload after check in the "verified" init code—but it does seem to me like there are "easier" ways to exploit this position if they wanted to.
Then again, maybe they want the deniability of everything looking like inexperience. I really don't know.
@dylnuge This was my first impression when I heard the name (being from the same country I'm mildly qualified to judge):
Alvydas – normal given name, I've met a few guys named that, suitable for a bad actor to use in order to stay inconspicuous when backdooring software
Salvydas – name I've literally never heard of, 98% made up to sound unique and deep, definitely has a soundcloud or something
(Has a youtube channel apparently, but same deal. And a facebook with some hax0r stuff as the profile pic.)
Could be a very well crafted persona but honestly I'm just getting a very specific vibe of "trying very hard to look cool" all around.
@teotwaki it's like setting the stage for something shady that hasn't happened yet... Putting on another tin foil hat on top: perhaps this is a new genre of schemes where potential social FOSS exploits are prepped for the right buyer? I tend to think it's just cosplay and credibility laundering but I'll keep the option open.
@dylnuge great investigation and thanks for sharing with receipts!
@dylnuge dude, I didn't make money from selling stickers. The stickers that were sold went back to the Free Software Foundation.
In fact, they still sell the stickers on their store! https://shop.fsf.org/stickers/bash-logo-sticker-pack
Please don't make assumptions that are entirely false. I would appreciate a correction of some sort.
Edit: we cleared this up, thanks Dylan for updating the thread
@jdorfman I've updated this!
FWIW, my intent wasn't to imply that there was any misdeed here, though I see the hazard of having it alongside the rest of the thread's context.
Honestly, this whole segment of the thread is bad—it was live updates on an investigation of something that turned out to be unrelated to the original topic. It's pretty clear that the logo itself was legit, and just lifted from Wikipedia without permission.
@dylnuge Looking up the zsh mailing list thread that got linked when the logo was added to Wikipedia, Justin Dorfman designed the logo: https://www.zsh.org/mla/workers/2022/msg00009.html
I can't see anywhere the zsh project used the horizontal "zshell" version but if he's the designer and was engaging with the community on it, it seems legit to me that both versions were some level of official.
@misty Yeah it seems quite possible that the zshell version is just an unused (or not widely used) alternative version of the official logo.
I did see the mailing list post, though I couldn't find a copy of that version in that thread (a few other alternates show up, though, such as in https://www.zsh.org/mla/workers/2022/msg00059.html)
Still doesn't explain why they're using it on the zi "community" page.
@dylnuge 👋
I was the art director of the Bash and ZSH logos. I've been a code & non-code contributor for 13 years, so I hope I have enough credibility to have people believe that **I have nothing to do with that other project.**
@jdorfman Hey Justin, thanks for getting in touch! Figured as much and appreciate the confirmation!
It seems most likely that they just stole the version of the logo from Wikipedia and slapped it on their website to look more legit.
@jdorfman No worries at all, you were right to correct me!
I've edited a couple of the earlier posts about the logos in this thread, since I don't think people should need to read to the end to learn that the logo is legit and the project just stole it. Hopefully that makes things clearer!
Thanks again for reaching out, really appreciate it.
Dylan Nugent
Wilfried Klaebe
grawity
Errata
Sebastian Lauwers
shom 🐧📷🤿🏔️🪚✊🏽
Jess
Justin Dorfman
Misty
Richard Barrell
okapi
i.grok