Skip to main content

Security Bite: Hackers are now directing users to Terminal to bypass Gatekeeper in macOS Sequoia

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.


In possibly a first since the release of macOS Sequoia, cybersecurity researchers have identified a new attack vector that sidesteps the usual “right-click, open” in favor of something rather unusual. In a recent finding shared on social media, this new method involves tricking users into dragging and dropping malicious code (via a .txt file) directly into the Terminal.

With the release of macOS Sequoia, Apple took a proactive step to help keep Joe Shmoes from executing malware on their Macs. Users on Sequoia can no longer control-click to override Gatekeeper and open software that isn’t signed or notarized by Apple without having to go into Settings, then Privacy, to “review security information” before being able to run the software. The additional steps attempt to inform the user of what they’re mounting to disk and, ideally, give them pause.

Of course, this throws a wrench in the baddies’ (cybercriminals’) operations, which thrive on deceiving users to right-click and hit “open” to use whatever legitimate application they think they installed. I’m speculating that the more users who continue to adopt Sequoia, the fewer executions occur on machines, and thus, the less money they make from draining crypto wallets on Macs and so on.

Now, we’re seeing one of the first instances of cybercriminals evolving their tactics to circumvent macOS Sequioa’s latest Gatekeeper change. This particular sample of the new infostealer is going under the name Cosmical_setup and is being tracked as Amos-affiliated.

Here’s how it works:

  1. The attacker delivers a disk image file (DMG) to the victim.
  2. The victim is instructed to open the Terminal application and, instead of right-clicking to install, they are asked to drag and drop a “.txt” file directly into the Terminal window.
  3. The seemingly harmless “.txt” file is, in fact, a malicious Bash script. Once dropped into the Terminal, it triggers the execution of osascript, which then runs AppleScript commands.
Demo via @g0njxa on X.

This approach is more trivial for people like my grandparents to do over a simple right-click. We’ll have to wait and see if the baddies will stick with this or if it’s just a one-off malware product test. All-in-all I use my grandparents for scale on most things malware, and this doesn’t pass. Well done, Apple.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications