Discussion
A lot of people are apparently happily running a script clearly marked as a root exploit from some random website using curl | bash 
Some do inspect the script, but then still run it using curl | bash anyway. 
Incidentally, this very relevant blogpost about detecting curl | bash and serving different scripts based on that is almost exactly a decade old:
https://web.archive.org/web/20230318063325/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
@rysiek does the exploit work on android though? 
@rysiek The best thing is, it's a blob.
@rysiek i firstly did curl (url) and after that piped, not in one command - in two. if you don't pipe it instantly to bash it just shows that code, and it's still curl so code which'd be executed i literally saw in whole just without execution firstly.
@hacknorris I would never run it on my workstation anyway, that's what VMs are for.
@rysiek piping random stuff should be grounds for immediate termination as a sysadmin!
@rysiek Nicely illustrative. This is one of the reasons why I like having different execution contexts for (a) fetching content from external resources into files and (b) using files, possibly executing them without network access, as being done by reproducibility-targeted frameworks like #guix or #nix.
@dreiwert my understanding here is that this is an exploit that breaks containers boundary, and probably other things, as long as they depend on the Linux kernel enforcement.
@mcepl when computers are involved, devilry is always an option
@rysiek@mstdn.social
curl | bash (It's python but whatever) works fine if one trusts the web server it curl'd. For example, if someone is installing a toolchain and would download the toolchain from that same server anyway, curl |bash would be fine as it didn't trust more entities it would have with alternative means.
(Of course blindly curl|bash is a thing and I won't argue that's indeed bad)
But that copy[dot]fail website which seems extremely AI-pilled? ... 😬
Also that python script seems extremely obfuscated and unreadable (*). That's probably intended to support the claim of "732-byte Python script"... Haha as if how few lines of code a PoC have means anything outstanding right 🙃 Deeply unserious people.
(*) after I downloaded it from Github. I don't trust Microsoft very much but I have not heard that Microsoft has ever served targetted malware to people downloading things from Github either.
@Orca but one is not installing a toolchain in the very specific context that is relevant to the post you are responding to. One is running a piece of (obfuscated, as you pointed out) code that is marked as a root exploit directly from a random website.
I mean, how hard would it be for a malicious actor to create a website about some bogus vulnerability and serve a curl|bash malware that doesn't get root, but steals credentials instead?
Or even copy that website and exploit, and spice it up?
@rysiek there's the deobfuscated python code in a GitHub issue: https://github.com/theori-io/copy-fail-CVE-2026-31431/issues/54
My guess is that they compressed it so they can get it down to the 732 byte size, as if anyone really cares about that these days.
@rysiek I inspected the code, saw a compressed blob and noped all the way down that back.
@rysiek I cut and pasted it into nano after inspecting the code - incidentally it worked once on Linux Mint but there was a subsequent kernel update and it no longer works (which I guess is a good thing!)
Install bonfire.cafe
Get the full app experience
