I'll start with its origin: it's apparently a fork of zinit, which was a project created by zdharma (Sebastian Gniazdowski).

I say apparently because the "fork" was created by bulk importing all the original zinit code: https://github.com/z-shell/zi/commit/2f749f9c3f49d872d4d277a450d36d8a6e64ac08.

This happened a few weeks after zdharma disappeared off the internet and deleted all their repos. That makes it a bit less of a red flag—it might be the only way to rescue the code—but rescue forks should still acknowledge they are forks.

Making a rescue fork of an abandoned project is normal (e.g. https://github.com/zdharma-continuum/zinit).

You know what's not normal? Creating an organization with the same name as their deleted GitHub username so that anyone who comes to find the old repos finds the projects you now control.

Props for making it look creepy as fuck, though.

That's not their main org though.

Their main org is called...z-shell. This is the first thing that threw me when I stumbled on this—this isn't official zsh docs, but it's all hosted at wiki.zshell.dev, which feels like an attempt to _seem_ official.

Here's the site: https://wiki.zshell.dev/

They're good at throwing together believable looking project websites, so long as you focus on the visuals. Lots of flashy imagery (some of these icons are animated, too) to distract from sentences like "Instant prompt postponing plugins loading to a moment when the processing of .zshrc file is finished."

Oh, it's not a "wiki" in any sense except that I guess you could submit a PR to it on Github, if you were wondering.

The project is a plugin manager for zsh, because that's what zinit was, though they don't make that clear here.

There's a minute long asciinema on the page of the installer script running, which shows that they like flashy colorful outputs but doesn't really give me any impression of the claimed "speed" (https://asciinema.org/a/509113). Why would this be your "see it in action"?

Also their install script starts with "Installing interactive feature-rich plugin manager (z-shell/zi)". Gotta love that.

So how do you install this?

Well it's easy, you just...wait, you WHAT?

You um...you add a curl directly to your .zshrc. You're sourcing this from the website _every time you open a shell_.

That's gotta be the slowest possible option, to say nothing about the security concerns.

That page is a redirect to the init script on Github. At the moment. It sure could change.

But if you're concerned about that, they have "verified" installation instructions, and I...I can't even.

Just put a hardcoded checksum in your zshrc and if the script you download doesn't match it, refuse to do anything.

Why wouldn't you just download the current version? Why constantly re-download it on every shell invocation just to check that it's unchanged?

...I can't even

Anyways by this point the picture I have is that the "devs" don't know what they're doing.

There's a non-malicious explanation for all of this, and indeed, I think a non-malicious explanation is in order. They're cosplaying as open source developers.

Actually building a useful project is hard. Grabbing someone else's, throwing up some flashy pages, and borrowing credibility from other projects with look-alike names is far easier.

I wouldn't trust any code from this site, malice or not.

Oh, and that ain't all they cosplay as.

They also run a "marketing firm" staffed by generic AI faces, for instance.

...I told you I was *deep* in this rabbit hole