I Used to Think "Just Looking" Was the Safest Thing You Could Do
Late last year, a collaborator sent me a file called "quote.txt." I cracked open my terminal and ran a quick preview command — totally routine. I figured: I'm not executing anything, I'm just reading text. What could go wrong? What I found out later genuinely gave me chills: under certain default settings, that single "just looking" action is enough for whoever crafted that file to quietly run code on your machine. No confirmation dialog. No warning. Nothing.
If you use a Mac, occasionally open a terminal (the black-background window with white text), or you have an assistant or contractor who handles files using a terminal on your behalf — this is worth three minutes of your time.
Here's Where the Problem Lives — and Someone Already Learned the Hard Way
There's a popular Mac terminal app called iTerm2. A lot of designers, operations folks, and freelancers have it installed — sometimes they didn't even choose it, it came bundled with something else. iTerm2 has a feature that's turned on by default called "Allow file content to trigger special instructions." The plain-English version: if you preview a file that's been tampered with, commands hidden inside that file will execute automatically on your computer — no clicking "confirm," no clicking "allow," nothing from you at all.
Chenmo , a freelance designer based in Shenzhen, told me what happened to her this past March. She picked up a new client project at a coffee shop, and the client sent over a file called "asset-brief .txt." Out of habit, she ran cat on it in the terminal ( that's just the standard preview command). Afterward she noticed several background processes running on her machine that she'd never installed. It took her an entire afternoon to figure out what had happened. Her words: "I thought .txt was literally the safest format possible. And then…"
This isn't a Chenmo problem. This vulnerability has been discussed in technical communities for a long time — it's just that most everyday users have never heard of it.
What It Actually Costs to Protect Yourself Today
- Money: ¥0 / $ 0. iTerm2 is free, and turning off the setting is free.
- Time: Under 30 seconds.
- Technical skill required: If you can click a menu with a mouse, you're qualified. No code involved.
- First step — click here: Open iTerm2 → click "iTerm2" in the top-left menu bar → click "Settings" → go to "Profiles" → click "Advanced" → find the "Triggers" section → make sure there are no unfamil iar entries there. If you're unsure what you're looking at, just ask a tech-savvy friend to take a look for you.
Not sure if you even have iTerm2 installed? Open Finder on your Mac and search for "iTerm." If nothing shows up, this article doesn't apply to you right now — feel free to move on.
My Honest Suggestion Depending on Where You Are Right Now
If you're just starting out and still doing everything yourself: The external files landing in your inbox are probably client briefs, quote sheets, and asset bundles. If you ever use a terminal to preview files, spend 30 seconds running through the iTerm2 check above. This isn't something everyone needs to panic about — but checking once buys you a lot of peace of mind for a long time.
If you've got one or two steady clients and you're handling more outside files: I'd casually mention this risk to any assistant or contractor who touches files on your behalf. You don't need to explain the technical details — just something like: "If a file comes in from someone we don't know well, don 't preview it in the terminal first, just flag it for me." Trust gets built in the details.
If you're scaling up and your team is sharing devices or working remotely: It 's worth blocking out half an hour to run the iTerm2 check across the Mac machines your team uses most. While you're at it, sketch out a simple "how we handle incoming external files" policy. Not because you dist rust clients — but because having that habit makes your whole operation feel more professional and solid.