Comment by drexlspivey
Comment by drexlspivey 8 hours ago
If your method of infecting your victim is having them paste and run a random command on their terminal, software developers is probably the worst group of people to be targeting.
Comment by drexlspivey 8 hours ago
If your method of infecting your victim is having them paste and run a random command on their terminal, software developers is probably the worst group of people to be targeting.
No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].
[0] https://web.archive.org/web/20240213030202/https://www.idont...
My only encounter with this is, that I am annoyed if I open web dev tools on a new browser profile/guest profile, but am interrupted in my workflow because first I have to type "allow pasting" every single time. (Why I do this quite often? To be sure to have a clean state when debugging a web app) And all this, because some people cannot think, before they follow obscure instructions send to them by a untrusted party?
Why can't we have nice things again? Because of abusers yes, but also because of sheep people.
You just need a handful of people to fall for it, and a population of a hundred million daily active users on GitHub means there are always a handful of people to trick.
“Curl pipe sh” would like to have a word…
I think you are painting with a broad brush.