Attackers would use it to gain access to inject malware if the project was at all popular. The Internet is a dark forest.

This only works as a skill filter. It doesn’t work in an environment with malicious actors.

If only the author had something to say about this problem...

> The Pull Request Hack probably isn't suitable if you're running big projects.

> And it is almost certainly a stupid idea if you write code which is actively used by multiple downstream projects.

> And if your stuff has even the slightest chance of compromising security then you're better off sticking to trusted members.

He did, but the problem is that any package anyone uses for anything could compromise security. So what could you use this with?

This sort of openness is an elegant weapon from a more civilized age.

These days the net is like a zombie movie where if you leave a crack in the boards covering the windows the arms will reach in.

Ok, lets consider the authors example of SuperTinyIcons (https://github.com/edent/SuperTinyIcons). What are some possible ways you could send a PR, gain commit rights and then use it for compromising security?