As recently discussed on the Arch Mailing list there appears to have been a large coordinated attack on the AUR some time within the last 24 hours that seems to have resulted in a rather sizable amount of packages being contaminated with malware. This is a good reminder that the AUR is open, unofficial, user-produced, content. The only secure way to use the Arch User Repository is by reviewing every PKGBUILD. While efforts are now underway to clean out any problem packages there still exists ...
But, please stop using the curl command piped into a terminal pattern. Malicious actors have been abusing the fuck out of this pattern ever since the idiots at Anthropic decided that would be the official install pattern for Claude. I’ve been cleaning up infections based on people just blindly running shit like that constantly over the last couple months.
Folks, never run a random script from the internet, without being sure what you are actually about to run. If using AUR packages is considered risky. Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.
This is so stupid but really hard to avoid. Before I had a gz link and I knew I’d download, check Sha or signature, export path and ready.
Tried installing antigravity and it’s this stupid thing. So I downloaded a large script, read a lot of it, didn’t find something easy to put together to figure out what binary to download. Took me quite some time to install something that should have taken 2 minutes.
Ah and I’m told it auto upgrades. Great, now I have a back door too.
Replace this tool with basically anything, because pages don’t have download links anymore. Soon there will be nothing published in curated repos like brew, nix, debían etc
Thanks for sharing.
But, please stop using the curl command piped into a terminal pattern. Malicious actors have been abusing the fuck out of this pattern ever since the idiots at Anthropic decided that would be the official install pattern for Claude. I’ve been cleaning up infections based on people just blindly running shit like that constantly over the last couple months.
Folks, never run a random script from the internet, without being sure what you are actually about to run. If using AUR packages is considered risky. Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.
This is so stupid but really hard to avoid. Before I had a gz link and I knew I’d download, check Sha or signature, export path and ready.
Tried installing antigravity and it’s this stupid thing. So I downloaded a large script, read a lot of it, didn’t find something easy to put together to figure out what binary to download. Took me quite some time to install something that should have taken 2 minutes.
Ah and I’m told it auto upgrades. Great, now I have a back door too.
Replace this tool with basically anything, because pages don’t have download links anymore. Soon there will be nothing published in curated repos like brew, nix, debían etc
I made a spite-site a few years ago for this very purpose https://stoppip.ing/
Longer than that. In particular, a malicious server can detect when a script is being viewed or downloaded vs being piped to a shell, and can serve something different. https://web.archive.org/web/20250622061208/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
Wow. Learn something new everyday.
Thanks for sharing.
Excellent imagery.
And so true.
And I’m guilty of it myself, even though I know better.
That must make for embarrassing discussions with your doctor.
Bravo! (sincere, not sarcastic)
I actually had to go back and re-read what I posted to understand your answer. I am apparently a derp today.
I agree that’s why i’ve posted the main link and author. Still is a fair point. I’ll remove the code from the description.