> Compromising one of these would be as "simple" as getting a PR merged that wasn't reviewed carefully.
I think it's less scary than this. A hypothetical PR would have to contain all the keylogger rules. The person who approves the PR would have to be in cahoots. I hope the filter-list repository owners have 2FA turned on...
I wouldn't be surprised if, given the volume of new domains to be blocked (like for a malware list), there's some automation involved. And since malicious domains can be absolutely nutty it seems particularly hard to manually review for an attack like this.
Ultimately I suspect that getting fuzzing integrated, lots of testing, etc, would be wise. It would also make sense to limit the lists you subscribe to - there's not really a ton of reason, in my opinion, to subscribe to more than a basic list.
I think it's less scary than this. A hypothetical PR would have to contain all the keylogger rules. The person who approves the PR would have to be in cahoots. I hope the filter-list repository owners have 2FA turned on...