undefined

points

[-]

This is how everyone does it now. Including Anthropic.

To be fair, is that any different from naively trusting NPM? It's not like NPM is doing any vetting. They're every threat actors favorite sandbox these days.

https://code.claude.com/docs/en/quickstart

by folkrav2 hours ago|

prev|

[-]

You're right that it's as dangerous as it's executing random third-party code on your machine, but the method also has propagated far beyond PoCs and such at this point. All of these projects and many others push that install method: Bun, Deno, rustup, k3s, Docker (if using their helper script), Homebrew, Tailscale...

by meatmanek2 hours ago|

parent|

[-]

Frankly, it's not really more insecure than any other installation method. Apt packages and the like generally have the ability to specify pre/post-install scripts, so `sudo dpkg -i ./random.deb` is equivalent to `sudo bash ./random.sh`. Even if they didn't have pre/post-install scripts, they're still writing arbitrary files to arbitrary locations on your disk, so they can trigger execution the next time you boot or log in or whatever.

And at the end of the day, no matter the installation method (even just unpacking a tarball and executing the program directly from that directory), you're going to run their program on your computer, and then the program can do whatever it wants. Maybe you don't run it with sudo, but https://xkcd.com/1200/ seems relevant.

by emulio2 hours ago|

parent|

[-]

A package (like a .deb) is a static artifact. It can be hashed, mirrored, and GPG-signed. Package managers usually verify that signature before any pre/post-install scripts. A "curl <some_url> | bash" pipe is a dynamic stream; the server can perform targeted attacks: sending a clean script to 99% of users and a malicious payload only to a specific IP address or User-Agent. This allows for targeted attacks that are invisible to the rest of the community.

Yes, running third-party code is always a leap of faith, but why choose a delivery method that removes the possibility of verification and opens the door to targeted injections? Convenience shouldn't be an excuse to ignore basic security hygiene.

by Chu4eeno1 hours ago|

parent|

[-]

The problem is that npm, cargo, etc. set the standard in people's minds for how package managers work, when the Linux community has been working on securing the supply chain issues for decades.

Like requiring a WoT (usually with physical meetups) vetting people creating packages, FTP-masters, dedicated clean buildbots, etc. in addition to the packages themselves being signed and so on.

by plus-one2 hours ago|

prev|

[-]

Codex use this (for update).

> sh -c 'curl -fsSL https://chatgpt.com/codex/install.sh | CODEX_NON_INTERACTIVE=1 sh'

This is just sh, not bash, but I doubt it would be any better.

by LeonidBugaev3 hours ago|

prev|

[-]

Thats exactly same as Claude Code offer: https://code.claude.com/docs/en/quickstart

by nailer3 hours ago|

prev|

[-]

We've had this discussion since Eazel Linux desktop popularized bash | curl in 2001.

> npm install ... is a much better approach to managing installed packages.

No. Until the upcoming version of npm is out, npm will also run arbitrary code. Almost all common installation tools run arbitrary code. Not doing that is sadly the exception for now.

by mapontosevenths2 hours ago|

parent|

[-]

Isn't executing arbitrary code kind of the entire point of NPM though? Any chance you have a link to something that describes their plans?

by nailer2 hours ago|

parent|

[-]

> Isn't executing arbitrary code kind of the entire point of NPM though?

No. npm is a package manager. As mentioned in the comment you're replying to, almost all package managers execute arbitrary code. Eg:

- pip

- Cargo

- apt/dpkg

- dnf/yum

- Homebrew

- RubyGems

- Composer (limited)

- Maven

> Any chance you have a link to something that describes their plans?

https://github.blog/changelog/2026-06-09-upcoming-breaking-c...