Apple macOS Tahoe 26.4 Terminal warning blocks ClickFix-style pasted commands
Security Tool/Service
Summary
Hide ▲
Show ▼
Apple added a Terminal safety warning in macOS Tahoe 26.4 that delays or blocks pasted commands when they look harmful, reducing the chance that users execute ClickFix-style instructions. The control matters because it targets a common social-engineering path where attackers rely on users to paste malicious commands themselves. Users can still choose to continue, but the warning adds an extra checkpoint before code runs.
Related Happenings
MacOS LOTL detection and hardening guidance against native-tool abuse
Defensive Guidance
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...
MacOS LOTL detection and hardening guidance against native-tool abuse
Defensive GuidanceAbout this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityAbout this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
First: 08.04.2026 21:55
Last: 08.04.2026 21:55
Sources 1
About this happening:
A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Atomic Stealer macOS Script Editor ClickFix campaign
CampaignAbout this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Claude Code deny-rule bypass fix (version 2.1.90)
Security Patch Release
First: 08.04.2026 12:16
Last: 08.04.2026 12:16
Sources 1
About this happening:
**Anthropic** released **Claude Code version 2.1.90** last week to fix a command-parsing flaw that could let **user-configured deny rules** silently stop applying when a command e...
Claude Code deny-rule bypass fix (version 2.1.90)
Security Patch ReleaseAbout this happening: **Anthropic** released **Claude Code version 2.1.90** last week to fix a command-parsing flaw that could let **user-configured deny rules** silently stop applying when a command e...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware Activity
First: 16.03.2026 13:41
Last: 16.03.2026 13:41
Sources 1
About this happening:
The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
MacSync macOS infostealer with dynamic AppleScript and in-memory execution
Malware ActivityAbout this happening: The **MacSync** macOS infostealer now uses **dynamic AppleScript payloads** and **in-memory execution** to reduce static detection and complicate response. It is being delivered t...
Latest development: 10.05.2026 20:52
A MacSync macOS infostealer campaign is abusing Google Ads and legitimate Claude.ai shared chats to lure users searching for "Claude mac download" into following Terminal instructions that download and run malware on their Mac. One observed variant uses polymorphic delivery, checks for Russian or CIS-region keyboard input sources and sends a cis_blocked ping before exiting, then profiles the victim with external IP address, hostname, OS version, and keyboard locale before using osascript to run a second-stage payload; another variant skips profiling and exfiltrates browser credentials, cookies, and macOS Keychain contents.
Timeline
-
30.03.2026 17:32 2 articles · 1mo ago
Apple adds Terminal paste warning in macOS Tahoe 26.4
Mitigation Patch UpdateApple introduced a new Terminal warning in macOS Tahoe 26.4 that delays or blocks pasted commands and alerts users when a command may be harmful, with the mechanism aimed at reducing ClickFix attacks. macOS users reported that the alert can appear when commands are copied from Safari and pasted into Terminal, while the exact risk-scoring logic remains unclear and Apple has not published an official support document.
Show sources
- Apple adds macOS Terminal warning to block ClickFix attacks — www.bleepingcomputer.com — 30.03.2026 17:32
- Apple adds macOS Terminal warning to block ClickFix attacks — www.bleepingcomputer.com — 30.03.2026 17:32