I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.
It’s nothing new or groundbreaking, but I figure it never hurts to have another reminder.
I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.
It’s nothing new or groundbreaking, but I figure it never hurts to have another reminder.
I mean, true, but most of the things I do that with are private scripts that I wrote. I think the main exception to that is Oh-my-zsh.
Also it’s not really a full pipe…
That’s saves the URL as a temporary file and opens it with bash. Frankly, the URL I gave you is very bad because it is not actually a script, just the help page for curl. Frankly, it would better if it wasn’t nested.
the article isn’t about scripts you wrote yourself. run your own scripts all you like.