https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...
You can make it so that the server returns benevolent looking code when auditing it with just "curl URL", but return malware when curl is directly piped to bash.