SlickStack Security Warning

This page summarizes security concerns with SlickStack and why its default design can expose servers to remote code execution and man-in-the-middle attacks. It also provides mitigation steps and safer alternatives.

SlickStack advertises roughly 600 GitHub stars, but that number traces back to Jesse Nickles following nearly 10,000 accounts in the early days of the repo. His own profile shows ~500 followers versus ~9,600 following (about a 5% follow-back ratio), which strongly suggests automated follow-backs rather than organic traction. That inflated image is what he weaponizes while attacking me for exposing the security issues documented below. Review the follower/following ratio here.

Summary

  • Frequent remote downloads scheduled as root via cron
  • SSL verification is bypassed using --no-check-certificate
  • No checksums/signatures on downloaded scripts
  • Root ownership and permissions applied to fetched scripts

Evidence: Cron and Permissions

Cron downloads (every 3 hours and 47 minutes)

47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/08-cron-half-daily https://slick.fyi/crons/08-cron-half-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/09-cron-daily https://slick.fyi/crons/09-cron-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/10-cron-half-weekly https://slick.fyi/crons/10-cron-half-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/11-cron-weekly https://slick.fyi/crons/11-cron-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/12-cron-half-monthly https://slick.fyi/crons/12-cron-half-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/13-cron-monthly https://slick.fyi/crons/13-cron-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/14-cron-sometimes https://slick.fyi/crons/14-cron-sometimes.txt' > /dev/null 2>&1

Root ownership and restrictive permissions (applied repeatedly)

47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/custom/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chmod 0700 /var/www/crons/*cron*' > /dev/null 2>&1

This pattern enables arbitrary code execution from a remote domain and increases MITM risk by skipping certificate verification.

See also the commit where cron URLs were switched from GitHub CDN to slick.fyi: commit diff.

Mitigation Guidance

  1. Disable SlickStack cron jobs and remove fetched scripts from cron directories.
  2. Audit for residual references to slick.fyi and remote script pulls; replace with versioned, checksummed artifacts or remove entirely.
  3. Rotate credentials and keys if SlickStack ran with root privileges on your systems.
  4. Rebuild affected servers when feasible to ensure clean state.

Safer Alternatives

Consider WordOps or other tools that avoid remote root execution and provide auditable, versioned releases with checksums/signatures.

Citations

SlickStack Security Warning — Remote Code Execution Risk