[wizofaus]

The fact that browsers will silently strip out everything before @, including "fake" slashes is surely the real problem here. That .zip is now a valid TLD doesn't strike me as making the situation vastly worse - something like https://github.com/kurbernetes/@latest.dev/package.zip seems just as likely to fool a recipient not being 100% vigilant. (To be fair, that used real slashes - all the substitute slash characters do actually look noticeably different to a regular slash - perhaps surprisingly there's no "non-breaking slash". Actually the big solidus ⧸ is pretty close but HN seems to block me using it in a URL!)

[lgats]

github.com∕not-suspicious@package.zip

add https:// and your browser will take you right to https://package.zip

[wizofaus]

Sure, and the fact that .zip is both a common file extension for downloading AND now a TLD is not a good thing (I don't know who though having .zip as a TLD was a good idea), but I still don't think it's the main risk here. Maybe it'll finally prompt Google (and other browser distributors) to stop automatically stripping stuff from URLs, and to check/warn on Unicode homographs (hell, it doesn't even warn on www․google.com - and that's NOT a regular period/full stop after the first www - I doubt anyone would be able to register www․google.com as a domain but who knows).