Since the candidate version of Tahoe 26.4 macos began to circulate, several users have noticed a subtle but relevant change in the way the system treats the commands glued to Terminal. According to reports, the system now stops the execution when it detects that the glued content could be dangerous and shows a warning that explains why such action could pose a risk to the equipment. It is not an absolute block, but an intervention designed to stop attacks based on social engineering.
This measure was not detailed in the official notes of the update, although Apple did publish the notes of the version on its developer portal ( macOS Tahoe 26.4 release notes). The emergence of the new alert was documented by users in forums and social networks, for example in a thread of the MacOS Beta community in Reddit ( reports in Reddit) and in individual publications in X ( an example of user who investigated the behavior).
The apparent objective of this change is to stop what the security community knows as ClickFix attacks: handling techniques that encourage the victim to copy and paste an order into the terminal with the promise to "fix" something or to verify an account. As the victim himself introduces the command, many automated defenses are left out and the malicious code is run with the user's permissions. The intervention of macOS attempts to break that link: to interrupt the inertia of the glued and to force a reflective pause.
According to public observations, when the system detects a stick from a command from Safari to Terminal, it shows a picture that the execution was stopped and that no damage has occurred. The alert also explains, in general, that scammers often distribute dangerous instructions by malicious messages, forums or extensions. Users may choose not to continue, or ignore the warning and continue if they know exactly what the order does.
Reports are not unanimous in terms of their internal functioning. Some probators claim that the warning appears only once per session, because after seeing several dangerous orders like sudo rm -rf / They stopped receiving warnings. Others have suggested that the system does some kind of heuristic analysis, as harmless commands do not activate the alert. Apple, so far, has not published a support document describing how it detects and classifies those glued as risky, and specialized media have tried to collect more information by contacting the company directly ( BleepingComputer is among those who have reported and sought answers).
There are no magical solutions in the field of safety: This warning is welcome, but it must not be an excuse to lower the guard.. It remains to be clarified which signals use macOS to fire the alert - if it is based on the source of the text, patterns within the glued chain or other telemetry - and if these rules can be circumvented by more sophisticated attackers. This is why experts continue to recommend caution in the execution of copied instructions from the Internet.
If you work with Terminal and want to reduce the risk, there are simple practices that help avoid falling into traps: carefully review each command before running it, paste first into a text editor to inspect its content, distrust "magic" solutions shared in networks and forums, and prefer operations with no high privileges where possible. Whenever an instruction comes from an unverified source, it is most prudent not to execute it..
The Apple change places attention where it should be: in giving the user time to think before running code that could compromise the system. However, the security community will remain vigilant and users should maintain an active verification attitude. For those who want to follow the development of this function and read the reports of those who have already tested it, community entries and Apple notes are good starting points: the above-mentioned conversation in Reddit is available at that thread and official documentation can be consulted at the notes of the version. In addition, specialized means such as BleepingComputer have covered the initial reports and are in contact with Apple for clarification.
In short, the novelty of Tahoe 26.4 macOS is an interesting advance in the protection against traps based on copying and hitting. It's one more layer of human-oriented defense, not the final panacea. and it should be combined with good habits, skepticism at external instructions and, when necessary, seek technical advice before executing commands that are not fully understood.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...