Threat actor attempted to slipstream a malware payload into yt-dlp's GitHub repo

The other thread has more repos listed: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42118097">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42118097</a>

What does “slipstreamed” mean? Upon first look this just looks like a really lazy attempt, but maybe there’s something I’m missing. Jia Tan was at least clever about it.

To be honest, I doubt it would&#x27;ve gotten merged anyways.