Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Ferdous Saljooki Profile picture
Ferdous Saljooki
@malwarezoo
staff macOS security researcher @jamfsoftware views are my own

Mar 26, 10 tweets

In macOS Tahoe 26.4 Apple added a new security feature to Terminal that warns users of potentially malicious pastes with a "Possible malware, Paste blocked" prompt. Here how it actually works 🧵

ClickFix attacks have surged over the years. The scam is simple: a fake website tells you to open Terminal and paste a command that installs malware. Apple's new feature blocks this, but not the way you'd expect.

Apple doesn't scan the command you paste. You can paste "hello world" from TextEdit and it triggers the warning. The content is completely irrelevant.

Instead, Terminal checks WHO you copied from. It calls _sourceSigningIdentifier on the NSPasteboard to read the code signing identity of the app that wrote to your clipboard. Safari, Chrome, Firefox, Mail, WhatsApp, Telegram and 74 apps total are on the list.

But the warning doesn't fire for everyone. There are 5 checks that ALL must pass:

1. Copied from a listed browser, email, or chat app
2. Mac was set up more than 24 hours ago
3. You are NOT a developer
4. You have not opened Terminal in the last 30 days
5. You have not clicked "Paste Anyway" before

The developer check is aggressive. If /Library/Developer exists (Xcode CLI tools create this), you're exempt. If you have VS Code, Docker, any JetBrains IDE, or any of 33 other dev tools installed, the warning is skipped entirely.

On a fresh macOS install it does not trigger any prompts. It reads the modification timestamp of /var/db/.AppleSetupDone and waits at least 24 hours before showing any warning.

At launch, Terminal saves its last open date. If you used Terminal in the last 30 days, no warning. This targets people who never use Terminal and are only opening it because a ClickFix scam told them to. If you click "Paste Anyway," the warning is disabled. If you click "Don't Paste," the protection is preserved but opening Terminal resets the 30 day clock, so it won't fire again until you stop using Terminal for a month.

So think about who actually passes all checks: no dev tools installed, hasn't opened Terminal in over 30 days, and is now pasting something copied from a web browser. Apple doesn't need to analyze the command when the behavior is suspicious.

If you're looking to trigger this on a test machine running macOS 26.4:

1. /Library/Developer must not exist and no dev tools should be installed
2. /var/db/.AppleSetupDone must be older than 24 hours. On a fresh install backdate it: sudo touch -t 202603200000 /var/db/.AppleSetupDone
3. Clear Terminal's state: defaults delete com.apple.Terminal LastTerminalStartTime and defaults delete com.apple.Terminal UserAcknowledgedPasteWarning
4. Quit Terminal completely and relaunch
5. Copy ANY text from Safari and paste into Terminal

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling