We might be victims of our own success on some of this. We've never had a major security hole in Mosh (after ten years since 1.0). We're really proud of that! But that also means we've never needed to issue a security update, which some people use as a proxy for "are people looking for security holes in this project."

After a few years without an active maintainer, as of a few months ago we now have a group working slowly but actively towards a Mosh 1.4 release. I think the main benefit people are expecting will be support for 24bit color escape sequences, but I'm also hoping we can get some fuzz targets, etc.

Yes, because it’s underpinned by SSH it’s secure.

The authors consider it feature complete hence the lack of updates.

What? Outside of initial handshake, it doesn’t use ssh (which is kind of the point). It’s totally valid to ask about its security.

So does rsh. GP asked if it was secure, though.

Good for you! But the question was about it being secure, while answer is about something else.