> For an attacker, bash just seems like an ineffective attack vector
All it needs to do is curl and run the actual payload.
Or even the standard "echo xxx | base64 -d" or a million other ways. How can someone say that bash is not interesting to an attacker is beyond me.