macOS 26.4 Paste Protection
Apple does not inspect or analyze the contents of what you paste. Even harmless text like
"hello world"will trigger the warning under the right conditions.Instead, Terminal checks where the clipboard content came from. It does this by calling a private API
_sourceSigningIdentifieron theNSPasteboard, which reveals the code-signing identity of the application that placed the content on the clipboard.If the source app matches a predefined list (74 apps total), the paste may be flagged.
Via Jeff Johnson:
The dialog is NOT displayed if Terminal app was opened within the last 30 days, or if developer tools are installed on the Mac.
Surely, I thought, a command that pipes the contents of some random file on the internet into
bashfor execution would be worth warning about. Nope. I copied thecurlcommand from Safari, pasted it into Terminal, and hit Return. No warning from macOS and my test folder and files disappeared again.My feelings about this have gone from “I hope Apple doesn’t make it impossible for me to work the way I normally do” to “Looks like Apple isn’t going overboard on the protection” to “Is there any protection here at all?”
You can read more about ClickFix attacks in MacPaw’s Moonlock Labs write-up: “How ClickFix attacks trick users and infect devices with malware”
[…]
Long before macOS 26.4 (ok, like a month 😄), when Apple added native ClickFix protection, I had already added ClickFix protection to BlockBlock[…]
[…]
The reason Apple doesn’t allow us to subscribe to these events—specifically
ES_EVENT_TYPE_RESERVED_1(the paste event)—is that it’s private, and thus only available to clients that possess thecom.apple.private.endpoint-security.cliententitlement.
Previously:
Update (2026-04-08): Ferdous Saljooki:
If you’re looking to trigger this on a test machine running macOS 26.4:
- /Library/Developer must not exist and no dev tools [including non-Apple tools] should be installed
- /var/db/.AppleSetupDone must be older than 24 hours. On a fresh install backdate it:
sudo touch -t 202603200000 /var/db/.AppleSetupDone- Clear Terminal’s state:
defaults delete com.apple.Terminal LastTerminalStartTimeanddefaults delete com.apple.Terminal UserAcknowledgedPasteWarning- Quit Terminal completely and relaunch
- Copy ANY text from Safari and paste into Terminal
Update (2026-04-13): Howard Oakley:
Although important, devising those defences is continuing the game of cat and mouse: no sooner are they in place than the attackers switch to a different ploy, as they have recently done by abusing a URL scheme and Script Editor. macOS offers a seemingly endless supply of mechanisms available for such abuse.
What has largely escaped attention is how bizarre user behaviour has become. Here’s a victim using a thoroughly GUI operating system copying what to them can only be incomprehensible gibberish and pasting it into Terminal, or running it in Script Editor. Why on earth would a user fall prey to that?
[…]
Over this period, tackling problems on Macs has moved from understanding how to use those GUI tools to blindly entering magic spells in Terminal, and now Script Editor. This trend has been promoted by search engines and most recently AI assistance, both of which are primarily text-based. Ask Google a Mac question, and the chances are you’ll be presented with commands to paste in, rather than a well-written account of how to solve it in the GUI.
I think Apple is also partly behind this change. GUI controls are increasingly absent, hidden, or in different places in different OS versions. Recommending a Terminal command can be simpler and more future-proof.
Previously:
1 Comment RSS · Twitter · Mastodon
More analysis here:
https://x.com/malwarezoo/status/2037305551911014760
Terminal has a new private entitlement, "http://com.apple.private.CFPasteboard.get-paste-source" to query the source application that pasted. Otherwise, using the private API produces an error to the log.
