This is a page for shaming people who recommend users to curl | sh or something equivalent. I do NOT recommend to run any of the commands you see on this page because they might be highly malicious. I would recommend for you to stay far away from projects you see on this page because they are either run by retards or intelligence agencies.

Curling straight into an interpreter has many dangers. People have come up with ways of detecting if that is being done, pastejacking is a thing if you are using a browser that has javascript and if you're curling over http or through a CDN some third party that isn't even part of the project could modify the script. And most of all, the people that are part of the project are also likely to be malicious because trying to infect someone is the only valid reason to recommend this method of installation.

You have been warned.



$ curl -L | /bin/bash
$ wget -O- | /bin/bash

No TLS and a likely malicious link shortener. Only a fucking retard would run this command.



bash <(curl -Lk)

Yes, let's allow CloudFlare execute any code they want on our machine, that seems smart. And let's also trick people into thinking their connection is at least secured with TLS (up CloudFlare) even though we allow insecure connections and redirects. Super smart.

No wonder these guys got their money stolen when they are this incompetent



curl -o- | bash
wget -qO- | bash

People REALLY trust GitHub. But what has GitHub ever done to deserve that trust?



curl -o- | bash

What's with the -o-, do these people even know how curl works?

Thanks tyng for linking this to me.



somedir$ svn cat | perl - init fiasco l4re

Seems like an overkill to clone a repo, to say the least. Kernel developers are just as suspectible for bad practices as the rest of us.



$ curl | bash

It's understandable that python devs or other people that aren't so familiar with the shell environment would not understand the implications of something like this, but if your project is written in Bash you really have no excuse.


GNU Parallel

(wget -O - || curl || fetch -o - | bash

The snippet is from the manual parallel_tutorial. If there is one place where you could include longer and more correct way of installing the package it is the manual. The manual 2626 lines long when rendered with less on a 80 column terminal.

Bonus points for telling the users to download it over HTTP over HTTPS (also worth mentioning that their certificate has expired in 2011) and for using some obscure webhost that no one can place any sort of trust on. Needless to say my confidence in the competency of GNU parallel developers decreased quite heavily.



curl -s | sudo bash

Again some retard/asshole is trying to lure you to execute shit as root. Don't do it!


Sysdig Falco

# curl -s | sudo bash

What kind of stupid person uses sudo to become root when they are already root? I'm not really suprised that someone stupid enough to do that would encourage people to curl | bash

• Deployment note:  Sysdig Falco requires deployment of a kernel module to your host servers, so make sure confirm this is ok with your deployment policies, and are whitelisting the behavior (if you are doing any monitoring or restrictions of kernel modules).

Oh and remember to remove any security features so the adversary can fuck with your kernel as well.



curl | sh

How does this not completely defeat the point of Nix in the first place.

This script requires that you have sudo access to root, unless the directory / nix already exists and is writable by you.

Please no.

kmicu: Tsutsukakushi: I told ya so… security is not a priority here. Fell free to try to improve security in Nix world, but you are better off with Guix. They even don’t trust compilers w/o bootstrapping from the source option :)

And here is a quote from the #nix channel on freenode when I brought this up. You heard it folks, if you care about security DO NOT USE NIX.




Over http. Nuf said.



curl -s "" | bash

This alone is bad, but the idiots of groovy-lang have taken it a step further and removed the https.


curl -s | bash

I hope no one uses the programming language of these incompetent people. Just imagine what else they might have fucked up when they can't even get super simple shit like this right.


curl -sSf | sh

Holy shit. Even Rust is run by retards.


curl -L | bash

Again, behind CloudFlare. It's like you're intentionally trying to get people infected.



curl -L | perl - -M -n Mojolicious

This is especially nefarious since uses CloudFlare and the program that it curls is 17k lines of obfuscated perl.


curl -L | perl - --sudo App::cpanminus

Holy fuck even cpanminus itself recommends this method for installing it, and this time with sudo for extra retard points.



curl -L | bash

DigitalOcean Debian to Arch

wget && bash

Oh My Zsh!

sh -c "$(curl -fsSL"


sh -c "$(wget -O -)"

I'm baffled how this project became so popular



curl -sL | sh

The dates indicate the day I saw the specific malpractice.