Man, I wish people would get off github. I wiped my account when Microsoft acquired github, only to create a new one 6 mos later because I wanted to submit patches to a project. The alternative is to not submit patches.

This attack could have been easily averted… If anybody uploads code to a repo that uses some version of rm -rf / that should automatically be rejected. This is basic malware detection. If they had done anything to obfuscate that functionality, we probably would be finding out about this way too late.