Has my MacBook Air been hacked?

The only way to get "hacked" is to attempt to install pirated software or other hacking tools to do things like watch paid streaming services like sports events or movies for free. If you haven't done any of that, then you haven't been hacked.

The most likely explanation for these differences is that Apple upgraded your computer to the latest version of the operating system. This version may be significantly different than the old version.

You haven't said exactly what folder you deleted, other than that it was "shared". There are no shared folders enabled by default. There is a "Shared" folder under the Users folder. It doesn't have much in it. That may have been left over from your previous installation. Hopefully you didn't need any of that.

Though there are clearly other screenshots posted on the desktop shown, here is how to make a screenshot:

Take screenshots or screen recordings on Mac - Apple Support

/private/etc is a normal and expected part of macOS.

That master.passwd.system_default file is related to a very old part of a UNIX systems such as macOS, the old password file. It’s not particularly used any more, but some very old apps might expect the presence of master.passwd file, and that default file contains the default contents of the password file.

Here is an overview of the macOS file structures, including /etc (also known as /private/etc): File System Basics

I would counsel against deleting files in system directories. Not until you are much more familiar with macOS and its internals. And would encourage having complete and current backups, prior to deletion.

MarthaDogg wrote:

I deleted this it was 4 deep inside the shared folder.

https://discussions.apple.com/content/attachment/282b07f3-6379-4245-be2a-99aa7d660870

OK. I think I know what happened. Apple upgraded your computer from something really ancient.

In the process, certain system files were overwritten. This is perfectly normal. But all this is done by a script. Scripts aren't smart. They are very dumb. So rather than figuring anything out, they simply move those old files to a "Relocated Files" folder. Hopefully, they figure, the user will know what to do with them. Unfortunately, they really don't test these things on real people's computers. More often, users have no idea what to do with these things.

Somehow MrHoffman was able to figure out that when you wrote "master.pass.stem", you actually meant "master.passwd.system_default". When I searched for that file, I found many instances of people having this exact same problem 3-5 years ago. The key part of the folder wasn't "Shared", it was "Relocated".

You can just delete those files. You don't need them. In the future, please do few things different:

1) When in doubt, do nothing. Ask first. It sounds like you simply got lucky this time.

2) When trying to explain something, please don't leave out information. I understand that you may not know all of the information. That's why #1 is important. Screenshots can be helpful here.

3) Most importantly, don't believe what you read on the internet. It simply isn't true. Macs don't "get hacked". It simply doesn't happen. Sometimes Mac users download illegal software they shouldn't, and then do things with that software that they shouldn't. If you don't do that, and really go out of your way, bypassing multiple levels of Apple security protections, to use illegal software, then you aren't going to get hacked.

But if you believe what people on the internet tell you, then all they need to do is show you an ad on a web page that says "You've been hacked! Click here to clean". You'll click the button and install yet another useless scam app. You still won't be hacked, but maybe your bank account will be. That's the only real risk here. When enough people fall for these scams, that $10/month for Industry Leading Endpoint Security Protection adds up millions of dollars of free money every month. And all they had to do was show you a scary-looking web page. Ka-Ching!

Hey! the "shared" Folder is where all macOS Important and applications saves go bad idea deleting that 3:

Yea definitely delete folder full of ExE's. macOS doesn't support running exes natively :3

did you only make 1 user for you Mac? Because all the users home folder goes in the "users" folder where all the users go? :3

You probably arent getting hacked because of apples safety features.

On my 3 year old M1 iMac, now running macOS 14.5, In its Shared folder were three Relocated folders each containing a single file. I’ve seen this in the past after some OS upgrades and it’s not from any hacking.