Graham Cluley drew my attention the other day to an issue that has apparently been known to some for years, but was new to me: clipboard poisoning, an issue where a website can replace what you think is on your clipboard with something else (…)
It turns out that there’s a possibility that this could lead to remote code execution. In other words, it could lead to someone else’s malicious code being run on your computer without your knowledge!
Once malicious code has been run on your computer, that code can download and install other processes, and in no time, your Mac has been pwned.
The key to this issue lies with any code that the user might copy from a website, then copy somewhere else in such a way that it is automatically executed. It turns out that this is possible with shell scripts pasted into the Terminal.
As an example, consider the following command, which is commonly cited as a way to make your Mac show hidden files:
defaults write com.apple.finder AppleShowAllFiles TRUE; killall Finder
Read his full post for tips how to keep yourself safe.