In macOS Tahoe 26.4 Apple added a new security feature to Terminal that warns users of potentially malicious pastes with a "Possible malware, Paste blocked" prompt. Here how it actually works 🧵 
ClickFix attacks have surged over the years. The scam is simple: a fake website tells you to open Terminal and paste a command that installs malware. Apple's new feature blocks this, but not the way you'd expect.
Apple doesn't scan the command you paste. You can paste "hello world" from TextEdit and it triggers the warning. The content is completely irrelevant.
Instead, Terminal checks WHO you copied from. It calls _sourceSigningIdentifier on the NSPasteboard to read the code signing identity of the app that wrote to your clipboard. Safari, Chrome, Firefox, Mail, WhatsApp, Telegram and 74 apps total are on the list.
But the warning doesn't fire for everyone. There are 5 checks that ALL must pass:
1. Copied from a listed browser, email, or chat app
2. Mac was set up more than 24 hours ago
3. You are NOT a developer
4. You have not opened Terminal in the last 30 days
5. You have not clicked "Paste Anyway" before
1. Copied from a listed browser, email, or chat app
2. Mac was set up more than 24 hours ago
3. You are NOT a developer
4. You have not opened Terminal in the last 30 days
5. You have not clicked "Paste Anyway" before
The developer check is aggressive. If /Library/Developer exists (Xcode CLI tools create this), you're exempt. If you have VS Code, Docker, any JetBrains IDE, or any of 33 other dev tools installed, the warning is skipped entirely.
On a fresh macOS install it does not trigger any prompts. It reads the modification timestamp of /var/db/.AppleSetupDone and waits at least 24 hours before showing any warning.
At launch, Terminal saves its last open date. If you used Terminal in the last 30 days, no warning. This targets people who never use Terminal and are only opening it because a ClickFix scam told them to. If you click "Paste Anyway," the warning is disabled. If you click "Don't Paste," the protection is preserved but opening Terminal resets the 30 day clock, so it won't fire again until you stop using Terminal for a month.
So think about who actually passes all checks: no dev tools installed, hasn't opened Terminal in over 30 days, and is now pasting something copied from a web browser. Apple doesn't need to analyze the command when the behavior is suspicious.
If you're looking to trigger this on a test machine running macOS 26.4:
1. /Library/Developer must not exist and no dev tools should be installed
2. /var/db/.AppleSetupDone must be older than 24 hours. On a fresh install backdate it: sudo touch -t 202603200000 /var/db/.AppleSetupDone
3. Clear Terminal's state: defaults delete com.apple.Terminal LastTerminalStartTime and defaults delete com.apple.Terminal UserAcknowledgedPasteWarning
4. Quit Terminal completely and relaunch
5. Copy ANY text from Safari and paste into Terminal
1. /Library/Developer must not exist and no dev tools should be installed
2. /var/db/.AppleSetupDone must be older than 24 hours. On a fresh install backdate it: sudo touch -t 202603200000 /var/db/.AppleSetupDone
3. Clear Terminal's state: defaults delete com.apple.Terminal LastTerminalStartTime and defaults delete com.apple.Terminal UserAcknowledgedPasteWarning
4. Quit Terminal completely and relaunch
5. Copy ANY text from Safari and paste into Terminal
• • •
Missing some Tweet in this thread? You can try to
force a refresh
