Skimming an AI answer cost me 100 passwords

09 Jun, 2026

NB: This whole story is stupid. I was tired and stupid. I knew better, and this is an "it'll never happen to me, but it did" style of story.

I gave a talk¹ at an Anthropic event recently and I said to the audience "a special warning to the non-technical folks: never run a curl command you don't trust". During the Q&A I was asked why and I replied with a quick anecdote, but that it is actually a long story that needs a blog post. Since Mythos² launched today with its allegedly incredible cybersecurity skills, it seemed like a good time to write this up. So here it is:

The setup

It was around midnight and I was tired from a mixture of work, chores, and a newborn. If you hate sleep, I highly recommend this regimen:

• Quit your executive job
• Start a consulting company
• Build software that solves your little problems and open source it (people log bugs they want fixed, who knew?)
• Dust off your old "startup ideas list" and start building those too
• Move house when your wife is 9 months pregnant(!)
• Welcome the new baby (and keep your older children happy too)
• Have one of your kids start kindergarten and all the emotion comes with that.

9-9-6? Those are rookie numbers, follow my regime and you'll be running on a 5-12-7 clock. The whole week had been a blur and I was happy to be getting some productive work done, even though it wasn't good quality deep work. It was the kind of work that runs on autopilot and momentum. The kind where you've been at it long enough that you stop questioning yourself, it's muscle memory as you go through the motions, and the default is to reach for the path of least resistance.

I was fiddling with a project in Claude Code and kept running into a plugin issue across sessions. Reload wasn't working, and I kept tripping over env warnings. I was digging around trying to unhide hidden files to edit my configuration and troubleshoot. I was getting frustrated, which led me to this AI prompt:

"I want to unhide all the hidden files on my system. Go find me a terminal command." It came back with a few options and I clicked around the results. I was tired and I didn't want to read.

I glanced at the command to make sure it wasn't garbage… a few characters at the start, a few at the end. I didn't try hard. In retrospect I remember it looked weird, but didn't think it was dangerous. I was tired and I wanted to fix this one thing (just one teeny tiny little thing) and then go to bed.

This is the stupid part. Muscle memory kicked in (people who use Excel with no mouse or Vim will get it): I copied, pasted, and hit enter in milliseconds.

The command I ran was not the command I read.

My heart sank as soon as I saw the command expand in the terminal… It was now much longer. What I saw visually was not what was copied. Why is there a curl command in the middle there? What are all those random characters, is that base64? Holy shit.

Then a flicker in my browser tabs. A Chrome window popped up that I didn't launch and minimized itself near instantly.

I hesitated for a moment thinking I was tired, but I knew something was wrong. I ran a process check. Why is ngrok running? That tool creates a connection from my computer to somewhere remote and I had never used it before. Holy shit #2.

So I ran a quick grep to search for some of my passwords, starting with my local login. There it was, sitting in a plaintext file buried in a temp directory a few folders deep. Holy shit #3.

I'd opened the door to malware, invited it in, and now it was helping itself to all my passwords and credentials.

What it stole

The command I'd run contained a base64-encoded payload buried between the parts I'd actually read. Once decoded, it reached out to a domain registered 3 days earlier and pulled down a set of malicious scripts along with ngrok (a legitimate tunneling tool that attackers favor because it makes outbound traffic look unremarkable). By the time I noticed, the malware had been at it for maybe 15 minutes, keylogger installed and running. It took:

• My macOS Keychain, the master key to everything else on the system
• Auth tokens and API keys sitting in memory and config files
• My password manager master password, my local login, and all keystrokes for that time period captured live through the keylogger
• Everything stored in Chrome - roughly 100 passwords and 2 saved credit cards.

Chrome encrypts its saved passwords and card details with a key stored in the macOS Keychain, under an entry called Chrome Safe Storage. macOS normally prompts before another process can read it, so the malware either caught me approving a prompt while I was distracted, or wore me down with repeated requests until I clicked allow, I honestly don't remember. Either way, it got the key, and Chrome's password and credit card databases were readable in plain text so it got those too. A Silver Lining: Most of those passwords were years old and credit cards were expired! I switched to a proper password manager a while back.

My password manager vault came through untouched. It's encrypted at rest, so the malware copied a blob it had no way to open. What it did get was my master password through the keylogger, so anything I'd recently accessed had to be treated as exposed.

How I recovered

I opened 3 Claude Code instances, each with a different job. Everyone says don't do this, but what the hell, it was now 1am and I was swearing like a sailor under my breath: they all got --dangerously-skip-permissions!

The first CC (hunter) had to seek and destroy active threats: kill any suspicious processes, look for running malware, check for common hooks like Launch Agents that would restart everything on a reboot. The second (scanner) went through the hard drive, flagging recently edited files, new directories, anything that shouldn't have been there. The third (investigator) worked out the exposure, what had actually been stolen and exfiltrated, and how bad the damage was.

Running them in parallel meant I could triage and contain at the same time, instead of doing one thing while the malware kept doing another.

The most important discovery came from the Hunter CC instance. The malware had embedded itself into my startup processes. On macOS this means entries in Launch Agents or Launch Daemons, files that tell the system to run something on every login or boot. If I'd killed the software processes and gone to bed, everything would have restarted the moment I turned the machine back on. Claude Code found those persistence hooks and removed them for me before I shut anything down.

I went to bed at 4:30am I think. The malware was gone, the persistence hooks were removed, and I'd rotated every key and credential with any chance of exposure (basically the blast radius that Investigator CC found - anything used in the prior hour, every high-value account like email and banking, and every active browser session). The technical cleanup took about 90 mins. The unglamorous part, going through every bank account, every email, every critical service and changing passwords purely as precaution, took the rest of the night.

If I'd been storing everything in Chrome, the whole night would have been a total loss instead of a recoverable one. The password manager held up and the persistence hooks Claude Code surfaced never got the chance to fire. Launch Agents and Launch Daemons are the first place malware embeds itself and the last place a tired person thinks to check.

A base64-encoded payload in a curl call is a known pattern, and I knew it before this happened. Being tired just made me predictable, and I stepped on that land mine.

The AI agent tool I was using ran on a non-frontier model and returned a handful of web results when I asked, and I lifted the command out of one of them without reading it. The malicious command rode in on a page from that search and running it unread was my mistake to own. There must be extra layers in the models hosted by the big players, because I can't recall being exposed to something like this in my daily use of Claude, ChatGPT, or Gemini. The same category of tool sat on both sides of the problem.

The session transcript is gone, lost during the mass-nuking and key rotation frenzy on the night, so this is written from memory. It's the same story I told that room at the Anthropic event, just longer, and with the stupid parts left in.

END.