Hide the same program into some dependency of a dependency and you have a nice little security vulnerability in your prod app. It's actually very easy to hide such a vulnerability as an innocent bug.

▲

ameliaquining 5 days ago | parent [-]

If you're stipulating deliberately inserted vulnerabilities then there are much easier ways, e.g., with a plausibly-deniable logic bug in code that calls os/exec or reflect (both of which can execute arbitrary code by design).

▲

gf000 5 days ago | parent [-]

If you see `exec`, that's an obvious point where you want to pay extra attention.

Compare to an innocent looking map operation, and it's not even in the same league.

	▲	ameliaquining 5 days ago \| parent [-]
		What's the least suspicious-looking code that you think could facilitate remote code execution via data-race memory corruption?