The risk when starting scripts directly from the web with Curl

Lately I see a lot of projects starting up which advice you to install it with an install script.

For example we take Composer. You can install it with the following command.

The idea, great… But… What if you don’t know what the installer script contains?
For example, when DNS spoofing occurs.

This can bring you in a totally different situation…

Lets say we have the following command.

This will download the installer_hack and inject it directly into bash.

Now if you look at this script you will notice a couple of things… Here is the script

This script is harmless, it will simply echo some text, show you a spinner and list some files in your home directory.

Here comes the tricky part that will do harm…
At the line # Insert remove line here… You insert the following code:

Doing that will result that the rm command will be started in the background in another shell.
Then you will see the spinner but meanwhile , your home directory gets erased.

Now you know that these things can happen… It might be smart to read the script that you run before actually running it. Be safe!