Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

All the attacks you described also apply to downloading and executing a file. I don't think `curl | sh` is worse in this regard.


With a downloaded file your antivirus will run automated checks on it, you can calculate a hash signature and compare the value with others who also download the file, and you will notice if the file changes after you execute it.


If you download it first, you can at least eyeball what's been downloaded to check it doesn't start by installing a bitcoin miner


How often do people do that when they install a package from npm, pypi, or other package repository? In practice never.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: