top | item 46986535

(no title)

it's fun but PLEASE watch out for malicious code/supply chain attacks from random vibe-coded .sh scripts:

downloads other scripts (peon.sh, uninstall.sh) and executes them or places them where they will be executed later

edits your ~/.bashrc and ~/.zshrc files to add aliases and tab completion

parses a remote JSON file to get filenames ($sfile) and then does: curl ... -o "$INSTALL_DIR/packs/$pack/sounds/$sfile"

discuss

Lol, yea, the scripts are beyond sketchy. This is the new vector, a cool idea masking itself as "fun" (which it is actually fun). People not understanding or vibing may not understand what they're installing. Even if this author isn't malicious, you cannot assume that will always be the case.

philsnow|17 days ago

The author might not be malicious, but from going through some of the audio packs, they're really not quality-checking PRs. For instance, sc_medic/sounds/WhereDoesItHurt.mp3 sounds like two-and-a-half sounds stuck together ("Critical? You Rang? Please state the nat--", it cuts off right there, and doesn't include the phrase "Where does it hurt?").

I wouldn't use this repo outside of some kind of sandbox.

ziml77|17 days ago

I don't think using something fun as an attack vector is anything new at all. It's an easy way to have someone let their guard down because you want to play around and aren't thinking how something silly could actually be out to get you.