{"id":9414,"date":"2026-04-03T13:08:08","date_gmt":"2026-04-03T17:08:08","guid":{"rendered":"https:\/\/tcn.tidbits.com\/?p=11511"},"modified":"2026-05-01T21:10:11","modified_gmt":"2026-05-02T01:10:11","slug":"macos-26-4-warns-against-terminal-based-malware-attacks","status":"publish","type":"post","link":"https:\/\/www.macworks.com\/blog\/macos-26-4-warns-against-terminal-based-malware-attacks\/","title":{"rendered":"macOS 26.4 Warns Against Terminal-Based Malware Attacks"},"content":{"rendered":"<p>We\u2019ve warned before about scams that trick users into pasting malicious commands into Terminal. Attackers create fake CAPTCHA pages\u2014often resembling Cloudflare\u2019s \u201care you a human\u201d tests\u2014that instruct visitors to open Terminal, paste a command, and press Return. Because the user executes the command themselves, macOS\u2019s security protections are bypassed. Malwarebytes recently<a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/03\/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka\" target=\"_blank\" rel=\"noopener\"> documented a macOS infostealer called Infiniti Stealer<\/a> that spreads this way, stealing Keychain passwords, browser credentials, and cryptocurrency wallets. These attacks have become common enough that Apple has<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-adds-macos-terminal-warning-to-block-clickfix-attacks\/\" target=\"_blank\" rel=\"noopener\"> added a warning<\/a> in macOS 26.4 Tahoe that appears when a user pastes a potentially dangerous command from Safari into Terminal. The protection is still in its early days\u2014in our testing, the warning dialog appeared only once, with subsequent attempts producing only a beep. Worse, if you allow the first paste, Terminal keeps allowing pastes without further warnings. It\u2019s a step in the right direction, but don\u2019t count on it yet. The core advice remains: never paste commands into Terminal from websites unless you trust the site and fully understand what it does. No legitimate CAPTCHA ever requires Terminal commands!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-11520\" src=\"https:\/\/www.macworks.com\/blog\/wp-content\/uploads\/2026\/04\/macos-26-4-warns-against-terminal-based-malware-attacks.png\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, 100vw\" srcset=\"https:\/\/www.macworks.com\/blog\/wp-content\/uploads\/2026\/04\/macos-26-4-warns-against-terminal-based-malware-attacks-1.png 980w, https:\/\/www.macworks.com\/blog\/wp-content\/uploads\/2026\/04\/macos-26-4-warns-against-terminal-based-malware-attacks-2.png 480w\" alt=\"\" width=\"881\" height=\"503\" \/><\/p>\n<p>(Featured image by iStock.com\/thomaguery)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve warned before about scams that trick users into pasting malicious commands into Terminal. Attackers create fake CAPTCHA pages\u2014often resembling Cloudflare\u2019s \u201care you a human\u201d tests\u2014that instruct visitors to open Terminal, paste a command, and press Return. Because the user executes the command themselves, macOS\u2019s security protections are bypassed. Malwarebytes recently documented a macOS infostealer [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":9415,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,69,106,25,112,185,104],"tags":[],"class_list":["post-9414","post","type-post","status-publish","format-standard","has-post-thumbnail","category-apple","category-apple-consulting-ct","category-apple-support-ct","category-mac","category-mac-support-ct","category-mactech","category-security"],"_links":{"self":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/9414","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/comments?post=9414"}],"version-history":[{"count":2,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/9414\/revisions"}],"predecessor-version":[{"id":9449,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/9414\/revisions\/9449"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media\/9415"}],"wp:attachment":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media?parent=9414"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/categories?post=9414"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/tags?post=9414"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}