Attacks via Terminal: Apple prevents command execution
More and more malware is also being spread via terminal commands that users willingly enter. macOS now has a precautionary measure for this.
Terminal with command-line execution: In this example, we were not stopped despite sudo.
(Image: heise medien)
With macOS Tahoe 26.4, released this week, Apple has integrated a new warning function that is intended to prevent users from executing dangerous command-line commands. As users report on social media like Reddit, it appears that the clipboard is being monitored. If Apple detects potential malicious code here, pasting is not possible at all. However, it initially remained unclear when exactly the warning would trigger.
Command line as a new attack vector – users help
Recently, more and more users have become interested in the command line and Apple's Terminal app on Mac. The reason is the hype around AI assistants and AI programming tools like OpenClaw and Claude Code. While OpenClaw is easiest to install via the command line, you often interact with Claude Code and other coding assistants directly via the terminal. All of this means that more users are coming into contact with the terminal at all, including many beginners. To avoid having to type a lot, they then copy command-line commands from the web and execute them – not infrequently including entering an administrator password.
Videos by heise
In this way, malicious code can easily take over the entire computer. Recently, this has happened more frequently with the infostealer GhostClaw or GhostLoad, for which fake GitHub repositories and npm packages were used for distribution. Here too, users interact directly with the command line, possibly without knowing what they are doing.
Apple doesn't reveal what happens in the background
Apple's new terminal danger warning complements existing tools to prevent malicious code from being executed with a click. If macOS 26.4 or later detects problematic code, the warning will appear in the future that it is “possibly malware” and the commands will not end up in the terminal. The pop-up further states that the Mac has not been damaged – and explains that scammers are increasingly trying to damage the computer by inserting text into the terminal – “or compromise your privacy.” Apple further explains that these scam instructions are distributed “via websites, chat agents, apps, files, or phone calls.”
Users can choose to paste the content into the terminal anyway. So Apple has not strictly blocked it so far. Information on which commands trigger the warnings exactly and whether the system also looks into reloaded shell scripts, which are often used by attackers, is unclear. In a test with a legitimate CLI application (Command Line Interface) of an audio service, which also requires an administrator password (which can be problematic), the command was not stopped.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
