Downloading executeables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such a man-in-the-middle attack can allow an attacker to insert arbitary content into the downloaded file, and in the worst case allow the attacker to execute arbitary code on the vulnerable system.

Use an transfer protocol that includes encryption when downloading executeables or other sensitive files.

In this example a server downloads a shell script from a remote URL using the node-fetch library, and then executes this shell script.

The HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitary code, which allows the attacker complete control over the attacked system.

The issue has been fixed in the below example by replacing the HTTP protocol with the HTTPS protocol.

OWASP: Man-in-the-middle attack.