This is a page for shaming people who recommend users to
curl | sh or
something equivalent. I do NOT recommend to run any of the commands
you see on this page because they might be highly malicious. I would
recommend for you to stay far away from projects you see on this page
because they are either run by retards or intelligence agencies.
You have been warned.
$ curl -L http://bit.ly/glances | /bin/bash
$ wget -O- http://bit.ly/glances | /bin/bash
No TLS and a likely malicious link shortener. Only a fucking retard would run this command.
bash <(curl https://get.parity.io -Lk)
Yes, let's allow CloudFlare execute any code they want on our machine, that seems smart. And let's also trick people into thinking their connection is at least secured with TLS (up CloudFlare) even though we allow insecure connections and redirects. Super smart.
No wonder these guys got their money stolen when they are this incompetent
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.2/install.sh | bash
wget -qO- https://raw.githubusercontent.com/creationix/nvm/v0.33.2/install.sh | bash
People REALLY trust GitHub. But what has GitHub ever done to deserve that trust?
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.31.1/install.sh | bash
What's with the
-o-, do these people even know how curl works?
Thanks tyng for linking this to me.
somedir$ svn cat https://svn.l4re.org/repos/oc/l4re/trunk/repomgr | perl - init https://svn.l4re.org/repos/oc/l4re fiasco l4re
Seems like an overkill to clone a repo, to say the least. Kernel developers are just as suspectible for bad practices as the rest of us.
$ curl bashlets.github.io | bash
It's understandable that python devs or other people that aren't so familiar with the shell environment would not understand the implications of something like this, but if your project is written in Bash you really have no excuse.
(wget -O - pi.dk/3 || curl pi.dk/3/ || fetch -o - http://pi.dk/3) | bash
The snippet is from the manual
parallel_tutorial. If there is one
place where you could include longer and more correct way of installing
the package it is the manual. The manual 2626 lines long when rendered
less on a 80 column terminal.
Bonus points for telling the users to download it over HTTP over HTTPS (also worth mentioning that their certificate has expired in 2011) and for using some obscure webhost that no one can place any sort of trust on. Needless to say my confidence in the competency of GNU parallel developers decreased quite heavily.
curl -s https://mailinabox.email/setup.sh | sudo bash
Again some retard/asshole is trying to lure you to execute shit as root. Don't do it!
# curl -s https://s3.amazonaws.com/download.draios.com/stable/install-falco | sudo bash
What kind of stupid person uses sudo to become root when they are
already root? I'm not really suprised that someone stupid enough to do
that would encourage people to
curl | bash
• Deployment note: Sysdig Falco requires deployment of a kernel module to your host servers, so make sure confirm this is ok with your deployment policies, and are whitelisting the behavior (if you are doing any monitoring or restrictions of kernel modules).
Oh and remember to remove any security features so the adversary can fuck with your kernel as well.
curl https://nixos.org/nix/install | sh
How does this not completely defeat the point of Nix in the first place.
This script requires that you have sudo access to root, unless the directory / nix already exists and is writable by you.
kmicu: Tsutsukakushi: I told ya so… security is not a priority here. Fell free to try to improve security in Nix world, but you are better off with Guix. They even don’t trust compilers w/o bootstrapping from the source option :)
And here is a quote from the #nix channel on freenode when I brought this up. You heard it folks, if you care about security DO NOT USE NIX.
Over http. Nuf said.
curl -s "https://get.sdkman.io" | bash
This alone is bad, but the idiots of groovy-lang have taken it a step further and removed the https.
curl -s get.sdkman.io | bash
I hope no one uses the programming language of these incompetent people. Just imagine what else they might have fucked up when they can't even get super simple shit like this right.
curl -sSf https://static.rust-lang.org/rustup.sh | sh
Holy shit. Even Rust is run by retards.
curl -L https://install.pi-hole.net | bash
Again, behind CloudFlare. It's like you're intentionally trying to get people infected.
curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org -n Mojolicious
This is especially nefarious since cpanmin.us uses CloudFlare and the program that it curls is 17k lines of obfuscated perl.
curl -L https://cpanmin.us | perl - --sudo App::cpanminus
Holy fuck even cpanminus itself recommends this method for installing it, and this time with sudo for extra retard points.
curl -L http://install.pivpn.io | bash
DigitalOcean Debian to Arch
wget https://raw.githubusercontent.com/gh2o/digitalocean-debian-to-arch/debian8/install.sh && bash install.sh
Oh My Zsh!
sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
sh -c "$(wget https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh -O -)"
I'm baffled how this project became so popular
curl -sL https://git.io/vV4yE | sh
The dates indicate the day I saw the specific malpractice.