Thanks for sharing.
But, please stop using the curl command piped into a terminal pattern. Malicious actors have been abusing the fuck out of this pattern ever since the idiots at Anthropic decided that would be the official install pattern for Claude. I’ve been cleaning up infections based on people just blindly running shit like that constantly over the last couple months.
Folks, never run a random script from the internet, without being sure what you are actually about to run. If using AUR packages is considered risky. Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.
Longer than that. In particular, a malicious server can detect when a script is being viewed or downloaded vs being piped to a shell, and can serve something different. https://web.archive.org/web/20250622061208/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
Wow. Learn something new everyday.
Thanks for sharing.
Random scripts being piped into a terminal ranks right up there with sticking your dick in a blender.
Excellent imagery.
And so true.
And I’m guilty of it myself, even though I know better.
That must make for embarrassing discussions with your doctor.
Bravo! (sincere, not sarcastic)
I actually had to go back and re-read what I posted to understand your answer. I am apparently a derp today.
I made a spite-site a few years ago for this very purpose https://stoppip.ing/
I agree that’s why i’ve posted the main link and author. Still is a fair point. I’ll remove the code from the description.
There is also already this:
https://github.com/lenucksi/aur-malware-checkAh, nice. My friend group made one as well.
I hope Arch gets this shit sorted.
Ah yes, run this random shell script hosted on the internet.
And I got downvoted for suggesting that they use an ML tool like crowdstrike to scan submissions for weird things… and for some reason people pointed out that they caused one incident of linux crashes and one incident of windows crashes last year. What if I told you that you could run a scan like that on a VM with the storage, web hosting and everything else entirely separate from said scanning VM… but no, random shell scripts into terminal GO!
Just seeing the results of a sandbox detonation should give you some level of an idea that something is bad or not bad. This kind of tooling isn’t exclusive to any one entity and the results should be part of any repo for anyone to review and flag if you really want to avoid ML as a layer of defense.
Nah, nobody is recommending that you just rawdog this freaking script in a terminal, as it is only useful if you make use of the AUR! The golden rule is to evaluate every script that you see, decide if it is a good or bad, personally having read it there aren’t any malicious instructions present in it. ML tools aren’t particularly reliable, can be tricked, deliver false negative or false positive results, and will just dull your mind.
If one cannot read, evaluate, and come to a decision based on the information available…Arch simply isn’t a good fit for the person in question. That is okay, and there are plenty of options.
Granted the AUR shouldn’t be as easy to exploit as it was in this instance, it’s a bit too wild west for my liking. There needs to be better protections that prevent such exploitation in the future, as there are clear exploitable weaknesses present with the AUR which need to be closed to prevent something low effort from happening again. The axiomatic truth of the AUR remains true: Do not trust, verify any PKGbuilds before installing software and before every single update.
