Wow! I had no idea. Will need to update the README. Thanks for the tip!

Yes, that is awesome. I wonder if "go" works like that also?

Has this behavior been the source of exploits in the past? Something about it feels dangerously presumptuous to me.

I am guessing it only resorts to that expansion if it dosesn't _already_ know about the command, because $(printf '#!/bin/sh\necho pwned\n' > /bin/git-status; chmod 755 /bin/git-status; git status) results in the thing happening that you'd expect, not a mysterious message

FWIW, both brew and kubectl also have adopted this behavior (of $(basename)-plugin style verb extensions) so I find it unlikely they'd all do it if it was a straight-up facepalm

probably adding a confirmation message the first time the alias is used for each command would be good, it would be nice to know when i'm invoking git and when i'm invoking a third party binary regardless of any exploit attempts!

If malicious code ends up in your $PATH you have much bigger problems than git having a seamless plugin architecture.