{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicuknfr7a3fl2i67faor4wd5dorpi77osc33vr5x7bkzq3clvrxi4",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mimv3ux5vez2"
  },
  "path": "/t/macos-26-4-brings-new-terminal-security-feature-to-stop-malicious-commands/36782#post_7",
  "publishedAt": "2026-04-03T22:57:51.000Z",
  "site": "https://discuss.privacyguides.net",
  "textContent": "For people here who do not understand the command, `curl` downloads data from a URL, and `|` means pipe the data that comes from `curl` (the left command) into the shell interpreter (the right command), most commonly `sh` or `bash`. A variant of this is `sh -c \"$(curl ...)\"` which essentially does the same thing. Another variant is using `wget` in place of `curl`.\n\nIn commands floating around on the internet, the server the URL refers to could be malicious.\n\nThe risk is higher if\n\n  * The shell interpreter command is prefixed with `sudo` or the script asks for root privileges.\n  * The command comes from an untrusted source, thus may have been modified by whoever published it.\n  * The URL is non-TLS, enabling MITM attacks that modify the downloaded script in transit.\n  * The URL is an untrustworthy source.\n\n\n\nIf the source is a malicious server, the server can do nasty things on the system that runs the script. Worse, the server can deliver different payloads to different clients. For instance, with respect to running a downloaded script, it is possible for the server to detect the script is being piped into and is being run by a shell interpreter, and if it is not being run, deliver a benign payload to avoid detection of malicious intent to fool anyone who attempts to inspect the script.\n\nBefore installing or running anything, it is important to verify the download; the best practice is verifying the cryptographic signature of it created by the provider of the download. However when a downloaded shell script is piped directly into a shell, there is no such opportunity. I think it is bad practice when software vendors instruct users to pipe a script into a shell. The server is capable of delivering different scripts to different clients, thus is capable of selectively delivering malicious scripts to certain clients, for instance when coerced into being malicious.\n\nAnother issue is what happens when the server connection is severed. The script will start running even before it is fully downloaded. The result is a script that runs half way, possibly leaving the system in an intermediate state, for instance if it was trying to install something.\n\nIt is safer, but not necessarily safe, to download the entire script first and verify it before running it. When installing something, much better is use a package manager.",
  "title": "macOS 26.4 Brings New Terminal Security Feature to Stop Malicious Commands"
}