macOS 26.4 Brings New Terminal Security Feature to Stop Malicious Commands

macOS 26.4 is now out, and with it comes a new feature in the Terminal app to help prevent malicious commands pasted into the terminal from running.

For those not familiar, the Terminal allows advanced users to navigate the filesystem and run commands on their Mac without a graphical interface, allowing for much more control. It’s essentially just another way to control your computer.

Unfortunately, the extra power the Terminal provides often allows attackers similar freedom over your system.

A common tactic for scammers is to coach victims to open the terminal and input malicious commands. Even experienced terminal users can fall victim to copy-and-pasting malicious commands from web pages. The command you see can be completely different than the one that ends up on your clipboard.

This attack has been around for years but the most recent variation is ClickFix.

ClickFix takes advantage of various phishing methods like emails and malicious ads that lead users to a page that tricks users into launching their Terminal or PowerShell that downloads an obfuscated malicious code to run.

The sites can imitate CAPTCHA verification prompts with instructions to launch your terminal and paste and run the malicious command.

The attack is particularly insidious because it exploits a common pattern online that users have been trained over years to do without thinking.

Apple’s answer to these attacks is a new feature in Terminal that prevents pasted commands from running, stopping attacks like this in their tracks.

If you’re a power user, you don’t have to worry about being prompted every time you paste a command in the Terminal. But users who may not even know what the Terminal is will benefit from this warning immensely I think.

The warning also helpfully explains common coaching vectors that might alert people to the techniques scammers use to coach people into running the malicious commands, something we’ve seen with other attempts at combatting scammers inside operating systems like Google’s attempt in Android.

Scamming relies heavily on social engineering, and any roadblocks put in the way of scammers coaching people will inevitably be bypassed. It’s always a cat-and-mouse game unfortunately, and the best defense will always be education. But features like this one make scamming people more difficult, so even if they can never be 100% effective, it’s worth it in the end.