zlacker

[return to "The browser catches homograph attacks, the terminal doesn't"]
1. accoun+2Z3[view] [source] 2026-02-04 13:54:38
>>MrBudd+(OP)
> curl -sSL https://install.example-cli.dev | bash # safe

This is not and has never been safe.

◧◩
2. digita+VZ3[view] [source] 2026-02-04 14:00:16
>>accoun+2Z3
It's about as safe as trusting all the add-ons in your IDE, and all the packages your node app pulls from random package repos.

It's just the plausible blame that shifts.

If you read the script before you pipe it into your shell, it's safe.

And if that's not safe, then it's just as dangerous to trust that an unopened bottle of ketchup is safe.

Nothing is safe. Everything is a judgement. Being culpable is a professional service. Lucky people out-earn unlucky people. The world is a scary place.

◧◩◪
3. anthk+oha[view] [source] 2026-02-06 07:14:26
>>digita+VZ3
Linux distributions contain a curated set of packages. And, if any, distros like Guix can import NPM crap and at least place it under an isolated container for work so the rest it's unharmed.
◧◩◪◨
4. Punchy+Usa[view] [source] 2026-02-06 09:21:52
>>anthk+oha
also you're getting at least some of crowd safety in it. If you're using Debian Testing or a rolling distro your package was probably tested by a bunch of people already.

If you're using stable/LTS branch, there were far more eyes on it too

And packages are signed, can't just hijack web domain to inject code

[go to top]