It wasn't a "normal person" it was a developer that put this into a README of his package

> But beyond the technical aspects, there's something more critical: trust and long-term maintenance. I have been active in open source for over a decade, and I'm committed to keeping Chalk maintained. Smaller packages might seem appealing now, but there's no guarantee they will be around for the long term, or that they won't become malicious over time.

I expect him to know better.

▲

mdavid626 3 days ago | parent [-]

Does this mean you verify EVERY domain you use? How to even do that?

Shouldn’t this be solved some other ways?

▲

DecoySalamander 3 days ago | parent [-]

I do it by reading domain name and comparing it to what I expect it to be. It's not hard and when in doubt I can easily check WHOIS info or search online for references.

This is also easily avaidable by using password manager which will not autofill credentials on a page with a wrong domain.

Edit: And yes, I do this for every link emailed to me that does anythig more high stakes than point me to a newsletter article.

	▲	mdavid626 3 days ago \| parent [-]
		I think it’s unreasonable to expect that people will do this. Most people have no idea what domain is, they won’t be able to check WHOIS records.