Thanks for sharing.
But, please stop using the curl command piped into a terminal pattern. Malicious actors have been abusing the fuck out of this pattern ever since the idiots at Anthropic decided that would be the official install pattern for Claude. I’ve been cleaning up infections based on people just blindly running shit like that constantly over the last couple months.
Folks, never run a random script from the internet, without being sure what you are actually about to run. If using AUR packages is considered risky. Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.
This is so stupid but really hard to avoid. Before I had a gz link and I knew I’d download, check Sha or signature, export path and ready.
Tried installing antigravity and it’s this stupid thing. So I downloaded a large script, read a lot of it, didn’t find something easy to put together to figure out what binary to download. Took me quite some time to install something that should have taken 2 minutes.
Ah and I’m told it auto upgrades. Great, now I have a back door too.
Replace this tool with basically anything, because pages don’t have download links anymore. Soon there will be nothing published in curated repos like brew, nix, debían etc
I made a spite-site a few years ago for this very purpose https://stoppip.ing/
Longer than that. In particular, a malicious server can detect when a script is being viewed or downloaded vs being piped to a shell, and can serve something different. https://web.archive.org/web/20250622061208/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
Wow. Learn something new everyday.
Thanks for sharing.
Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.
Excellent imagery.
And so true.
And I’m guilty of it myself, even though I know better.
That must make for embarrassing discussions with your doctor.
Bravo! (sincere, not sarcastic)
I actually had to go back and re-read what I posted to understand your answer. I am apparently a derp today.
I agree that’s why i’ve posted the main link and author. Still is a fair point. I’ll remove the code from the description.
You should be reviewing the PKGBUILD on anything from the AUR anyway
Ah, nice. My friend group made one as well.
I hope Arch gets this shit sorted.
Ah yes, run this random shell script hosted on the internet.
And I got downvoted for suggesting that they use an ML tool like crowdstrike to scan submissions for weird things… and for some reason people pointed out that they caused one incident of linux crashes and one incident of windows crashes last year. What if I told you that you could run a scan like that on a VM with the storage, web hosting and everything else entirely separate from said scanning VM… but no, random shell scripts into terminal GO!
Just seeing the results of a sandbox detonation should give you some level of an idea that something is bad or not bad. This kind of tooling isn’t exclusive to any one entity and the results should be part of any repo for anyone to review and flag if you really want to avoid ML as a layer of defense.
Reading through the shell script and understanding what it does before you run it should be a given. You don’t need to trust any closed source tool or whatever. Read it, before you execute it. If you are unable to do that, Arch is probably not the right distro for you anyway and in that case, good luck.
Nah, nobody is recommending that you just rawdog this freaking script in a terminal, as it is only useful if you make use of the AUR! The golden rule is to evaluate every script that you see, decide if it is a good or bad, personally having read it there aren’t any malicious instructions present in it. ML tools aren’t particularly reliable, can be tricked, deliver false negative or false positive results, and will just dull your mind.
If one cannot read, evaluate, and come to a decision based on the information available…Arch simply isn’t a good fit for the person in question. That is okay, and there are plenty of options.
Granted the AUR shouldn’t be as easy to exploit as it was in this instance, it’s a bit too wild west for my liking. There needs to be better protections that prevent such exploitation in the future, as there are clear exploitable weaknesses present with the AUR which need to be closed to prevent something low effort from happening again. The axiomatic truth of the AUR remains true: Do not trust, verify any PKGbuilds before installing software and before every single update.
