macOS 26.4 Paste Protection

Adam Codega:

Apple does not inspect or analyze the contents of what you paste. Even harmless text like "hello world" will trigger the warning under the right conditions.

Instead, Terminal checks where the clipboard content came from. It does this by calling a private API _sourceSigningIdentifier on the NSPasteboard, which reveals the code-signing identity of the application that placed the content on the clipboard.

If the source app matches a predefined list (74 apps total), the paste may be flagged.

Via Jeff Johnson:

The dialog is NOT displayed if Terminal app was opened within the last 30 days, or if developer tools are installed on the Mac.

Dr. Drang:

Surely, I thought, a command that pipes the contents of some random file on the internet into bash for execution would be worth warning about. Nope. I copied the curl command from Safari, pasted it into Terminal, and hit Return. No warning from macOS and my test folder and files disappeared again.

My feelings about this have gone from “I hope Apple doesn’t make it impossible for me to work the way I normally do” to “Looks like Apple isn’t going overboard on the protection” to “Is there any protection here at all?”

Patrick Wardle:

You can read more about ClickFix attacks in MacPaw’s Moonlock Labs write-up: “How ClickFix attacks trick users and infect devices with malware”

[…]

Long before macOS 26.4 (ok, like a month 😄), when Apple added native ClickFix protection, I had already added ClickFix protection to BlockBlock[…]

[…]

The reason Apple doesn’t allow us to subscribe to these events—specifically ES_EVENT_TYPE_RESERVED_1 (the paste event)—is that it’s private, and thus only available to clients that possess the com.apple.private.endpoint-security.client entitlement.

Previously:

• macOS 26.4
• Fake Mac Apps on GitHub
• BlockBlock 1.0

BlockBlock Endpoint Security Mac macOS Tahoe 26 Malware Pasteboard Security Terminal Xcode

Comments RSS · Twitter · Mastodon

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ