User '_mbsetupuser' with shell '/bin/bash' in file '/etc/passwd' (MacOS Big Sur). Me hacked?

That is a standard hidden user account used by Apple. It's normal.

I see you are an Arch Linux user. I do not believe you are going to be happy when you realize the System volume is protected three ways. System Integrity Protection (SIP), mounted ready only, and then actually snapshot to APFS, signed, sealed and booted from the snapshot. Making it practically impossible to alter the macOS System files. Only Apple can make changes to the System. You will find many old articles about customizing Mac OS X that no longer work due to these changes since High Sierra to Mojave to Catalina to Big Sur. Every year, Apple has been locking down the operating system more and more. This broke a lot of legacy software that did things Apple no longer allows. I don't believe Apple will be locking things down to the point of iOS / iPadOS but they have come very close to it with macOS.

(When Worlds Collide) It is the way Apple implemented it. Since Apple locked everything down you cannot alter the way the operating system works. You can only alter your user settings. This is completely the opposite way Arch Linux works.

All those user accounts are legacy UNIX related dating all the way back to NeXTStep / OpenStep in the 1990's. Mac OS X was entirely based upon NeXTStep when Apple acquired NeXT. Most all the API calls still begin with "ns" prefix which stands for NeXTStep.

The _mbsetupuser is only applied when installing macOS and its corresponding /var/setup home folder is destroyed when no longer needed. The /bin/bash shell is not a security issue. The Unix to Unix Copy Protocol hasn't been used in more than a decade. The last time I've used it was more than 20 years ago. Again, its legacy cruft left over from the late 1980's and early 1990's. All of the underscore users accounts are service accounts, meant to launch a daemon or other process. I did run a test for uucp and although there is a user account and even a binary uucp command, the daemon Launchd service is no longer configured. "sudo launchctl print-disabled system" used to list com.apple.uucp and it was disabled by default but with Big Sur it's not listed at all. That means the launchd plist was remove.

The more you dig the more you are going to find legacy items that likely no longer work. Here's a site that explains the Launchd system. It's more like systemd but simpler. https://www.launchd.info

XopmoH wrote:

SIP is of course a very good idea, thanks to the developers for this protection feature! But as far as I know, SIP checks system files by the hash of files from the system image that we have on the SSD (in the form of a hidden partition).

SIP doesn't do anything at all like that.

But what if someone has stitched some UEFI-bootkit into the BIOS chip and now it automatically changes some files from the system file checker image that uses SIP when it is turned on? How can I check this image or UEFI-BIOS firmware?

That has not happened. And it would be impossible for you to perform such a check.

You need to give this up. The only thing here that has been hacked is your mind. The internet and social media have convinced you that hackers have re-written your operating system. Your operating system is fine. It has not been hacked. That is extraordinarily difficult to do. Hacking you is quite easy. Why would any self-respecting hacker take a more difficult path? It is better to make you think you've been hacked to that you go off onto these wild goose chases. The most likely outcome is that you will try to inspect these low-level operating system structures, add 3rd party security, and, in the end, finally make your computer susceptible to hacking.

I’m not aware that SIP does anything but prevent all users (including root) from altering a file or folder. It was a precursor to read-only system volume. I don’t think it compares any file hashes at all.

There isn’t a BIOS chip on a Mac.

With physical access to the Mac, someone theoretically might be able to flash the EFI firmware. Did you let someone take physical control of your Mac?

I have no idea how to check. If you have that fear, you should hire someone to evaluate your Mac.

Do you have an actual problem which has led you to dig through things you don't understand?

XopmoH wrote:

Okay. But why this user use shell /bin/bash ?

This is security issue!

No, it's not.

The com.apple.appkit.xpc.openAndSavePanelService issues are usually related to 3rd party browsers. I see you have Brave installed per the Dock in your screenshot.

It’s not BIOS.