curl | bash | hacked: The Unseen Dangers in Your Dev Lifecycle - DevBcn 2026

curl | bash. That one-liner doesn’t just install a tool; it can hand over control of your machine. And here’s the uncomfortable truth: most modern supply chain attacks start exactly like this. Not in the data centre. Not at the firewall. On your laptop, because you didn’t stop to check what code you were running. Attackers know this. They hide in Git hooks, IDE plugins, build scripts, postinstall steps. Code that looks routine but executes with your permissions that exfiltrates secrets, plants backdoors, compromises pipelines, and your team before you even notice. The weak link is no longer the network perimeter. It’s the developer who clicks “install” without thinking. This talk will walk through real-world examples of how a single careless installation can spiral into a full-blown supply chain breach. And then we’ll cover the defences you need to build into your workflow: isolation, dependency hygiene, short-lived credentials, and constant monitoring. If you write code, this is your fight. The attacker is already in your toolchain. The only question is whether you’ll notice before it’s too late.