Archive for April 3, 2026

Friday, April 3, 2026

macOS 26.4 Paste Protection

Adam Codega:

Apple does not inspect or analyze the contents of what you paste. Even harmless text like "hello world" will trigger the warning under the right conditions.

Instead, Terminal checks where the clipboard content came from. It does this by calling a private API _sourceSigningIdentifier on the NSPasteboard, which reveals the code-signing identity of the application that placed the content on the clipboard.

If the source app matches a predefined list (74 apps total), the paste may be flagged.

Via Jeff Johnson:

The dialog is NOT displayed if Terminal app was opened within the last 30 days, or if developer tools are installed on the Mac.

Dr. Drang:

Surely, I thought, a command that pipes the contents of some random file on the internet into bash for execution would be worth warning about. Nope. I copied the curl command from Safari, pasted it into Terminal, and hit Return. No warning from macOS and my test folder and files disappeared again.

My feelings about this have gone from “I hope Apple doesn’t make it impossible for me to work the way I normally do” to “Looks like Apple isn’t going overboard on the protection” to “Is there any protection here at all?”

Patrick Wardle:

You can read more about ClickFix attacks in MacPaw’s Moonlock Labs write-up: “How ClickFix attacks trick users and infect devices with malware

[…]

Long before macOS 26.4 (ok, like a month 😄), when Apple added native ClickFix protection, I had already added ClickFix protection to BlockBlock[…]

[…]

The reason Apple doesn’t allow us to subscribe to these events—specifically ES_EVENT_TYPE_RESERVED_1 (the paste event)—is that it’s private, and thus only available to clients that possess the com.apple.private.endpoint-security.client entitlement.

Previously:

Update (2026-04-08): Ferdous Saljooki:

If you’re looking to trigger this on a test machine running macOS 26.4:

  1. /Library/Developer must not exist and no dev tools [including non-Apple tools] should be installed
  2. /var/db/.AppleSetupDone must be older than 24 hours. On a fresh install backdate it: sudo touch -t 202603200000 /var/db/.AppleSetupDone
  3. Clear Terminal’s state: defaults delete com.apple.Terminal LastTerminalStartTime and defaults delete com.apple.Terminal UserAcknowledgedPasteWarning
  4. Quit Terminal completely and relaunch
  5. Copy ANY text from Safari and paste into Terminal

Update (2026-04-13): Howard Oakley:

Although important, devising those defences is continuing the game of cat and mouse: no sooner are they in place than the attackers switch to a different ploy, as they have recently done by abusing a URL scheme and Script Editor. macOS offers a seemingly endless supply of mechanisms available for such abuse.

What has largely escaped attention is how bizarre user behaviour has become. Here’s a victim using a thoroughly GUI operating system copying what to them can only be incomprehensible gibberish and pasting it into Terminal, or running it in Script Editor. Why on earth would a user fall prey to that?

[…]

Over this period, tackling problems on Macs has moved from understanding how to use those GUI tools to blindly entering magic spells in Terminal, and now Script Editor. This trend has been promoted by search engines and most recently AI assistance, both of which are primarily text-based. Ask Google a Mac question, and the chances are you’ll be presented with commands to paste in, rather than a well-written account of how to solve it in the GUI.

I think Apple is also partly behind this change. GUI controls are increasingly absent, hidden, or in different places in different OS versions. Recommending a Terminal command can be simpler and more future-proof.

Previously:

A Letter to John Ternus

Marco Arment (Mastodon):

I urge you, on behalf of everyone who loves computers as much as we do, to protect and cultivate this spirit of Apple’s founders as the company’s top priority:

  • We love computers. We don’t hide that — we celebrate it!
  • We use computers to enhance our minds, lives, and abilities — not to be controlled, restricted, tricked, placated, angered, or surveilled.
  • Our computers work for us, with the utmost respect for our time, attention, money, data, and privacy.
  • We are customers and owners — not resources to be harvested, annoyed, or badgered into ever more services and upsells.

[…]

Making great computers must remain Apple’s top responsibility, because if you don’t do it, nobody will.

Previously:

Small Ways the App Store Could Be Improved for Developers

Jeff Johnson (Mastodon):

There are countless small, practical, mostly uncontroversial ways in which Apple could improve the App Store for developers, yet the App Store has changed relatively little in the 18 years since it was hastily cloned from the iTunes Music Store. […] These changes to the App Store would not require a huge financial investment from Apple. They would simply require Apple to care about the App Store and developers.

[…]

Apple is actually punishing developers for making native apps on each of Apple’s platforms! (In contrast, if I made an “iOS app on Mac,” then there would be only one review.)

[…]

We should be able to edit the metadata after an app has been published. Apple can of course review the edits before the metadata is changed in the App Store.

[…]

Stop using a session cookie for developer website logins!

[…]

App Store Connect is one of the slowest websites I’ve ever used.

[…]

Stop sending a 1.2 MB promo code email—without any actual promo codes!—every time we generate a promo code. […] Several of my apps are a Universal Purchase for iOS and macOS. But for some reason, all promo codes are platform-specific.

[…]

Allow App Store users on older versions of iOS to purchase the last compatible version of an app.

[…]

Show a “contact developer” button when an App Store user leaves a 1 to 3 star rating.

[…]

When an App Store user searches for an app by name, the app should appear first in the results.

Previously:

Copyright © 2000–2026 Michael Tsai.