diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..8c7fbae
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-03-12 - Prevent Symlink Attacks in Package Installers
+**Vulnerability:** Hardcoded, predictable temporary file paths (e.g., `/tmp/yq`) used prior to `sudo mv` operations for binary installation.
+**Learning:** Malicious local users can create symlinks at predictable `/tmp` locations before an installation script executes. When the elevated script (using `sudo`) writes to or moves from these predictable paths, it can be exploited to overwrite critical system files, leading to privilege escalation or denial of service.
+**Prevention:** Always use `mktemp -d` to create secure, unpredictable temporary directories for downloading or processing files, especially when running with elevated privileges or performing cross-user operations.
diff --git a/tools/os_installers/apt.sh b/tools/os_installers/apt.sh
index 156016b..e651213 100644
--- a/tools/os_installers/apt.sh
+++ b/tools/os_installers/apt.sh
@@ -231,9 +231,11 @@ fi
 echo "Installing yq..."
 if ! command -v yq &> /dev/null; then
     YQ_VERSION="v4.44.6"
-    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O /tmp/yq
-    sudo mv /tmp/yq /usr/local/bin/yq
+    TMP_DIR=$(mktemp -d)
+    wget "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -O "$TMP_DIR/yq"
+    sudo mv "$TMP_DIR/yq" /usr/local/bin/yq
     sudo chmod +x /usr/local/bin/yq
+    rm -rf "$TMP_DIR"
 fi
 
 # Install lsd (LSDeluxe)