This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/OhBeeOneKenOhBee on 2025-04-15 10:36:08+00:00.

I want to start out by saying that I REALLY do not want this to be interpreted as or devolve into any form of hate against the creator or their work. Judging by their Github history alone, they have a quite long track record of awesome open source work, and the scenario “I just felt like uploading all my projects on to Github since recently retiring” is a completely valid scenario. But remember, Github accounts being hacked is also a valid scenario. This is an exercise in caution - Trust, but verify.

Stumbled over this post that was made recently on here about CyberPAM (github.com/RamboRogers/cyberpamnow), and it really sounds like a great piece of software… in theory.

It also sounds a lot like a well-executed training exercise in a cybersecurity lab. Even though someone has a long track record on Github - accounts can be hacked and taken over. Here are some of the red flags:

• The RamboRogers github acount does have quite a long history, but a lot of the larger/substantial projects have popped up in the last 3 months
• The first mention of CyberPAM anywhere was 3 months ago. The domain, repo, docker images were all created within the last 3 months.
• Since release, there’s a rapid progression through minor versions, 0.3 > 0.4 > 0.5 within about a month. This could just indicate that a lot of features were added since releasing because bugs were discovered, but it might be a flag.
• Releasing the whole thing on Github, with a lot of claims in regards to functionality but little to no documentation or actual source code gives a sense of “this is legit/open source”, but without much substance behind it.
• The quote “Often implementations of PAM products take a long time to get to production, but not CyberPAM” - well, generally security products do indeed take a long time to get to production but that’s because they are tested quite extensively. It’s kind of what I’d expect from a product making a LOT of claims about security features.
• Repetitive mentions of the importance of adding your Cloudflare API keys to the software, with the only substantive documentation helpfully showing you how to do that.
• Very flashy and visually impressive Github repo
• Massive claims on the feature side with a lot of buzzwords
• A sudden shift in programming languages from C++, Shell scripts and some Python/Rust to Go-based software
• A lot of minor changes in a lot of places, the matthewrogers.org domain was modified in december of 2024
• No substantial documentation about the software at all, except for “here’s how you run the docker container, here’s how your run the container in Kubernetes, here’s how you add the Cloudflare API Key”
• The cyberpamagent installation shell script downloads a compiled binary, also without any hint of source code or documentation. The recommended installation method is basically “just run this without thinking about it”

Now, how you interpret all of this is up to you.

Most of the points could be covered in the scenario you get when reading his various posts, “I recently retired, I’ve been using this for years, I just wanna share it with the community”. This isn’t unreasonable at all. Releasing software without the source code on Github, or bulk uploading projects aren’t red flags in itself.

But the scenario of “Yeah, this will likely infiltrate your network and Cloudflare account” is equally likely at this point. Matthew could be away for a couple of months on holiday and his account was hacked, he could’ve finally snapped after retiring from working for EvilCorp for years, maybe it’s not really his account at all, or maybe he’s running a cybersecurity PSA just for laughs.

Trust - but verify.

Edit: Fixed the link to CyberPAM in the intro.