On this page[1] there's the text "ls -lat" which if you copy then paste in your terminal, you're actually pasting this whole thing instead:
ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP'
ls -lat
I guess one mitigation would be setting a sudo password, even in VMs?.
Qubes has no password for sudo by default.
What else can be done? Thoughts?
If using uMatrix, uBlock Origin and NoScript, all with blocking all by default, the page only requires allowing (2 pieces of) CSS from www.blogger.com for this to be completely hidden: ie. you think you copied "ls -lat", but assuming you don't Ctrl+Shift+C it too AND look at the size of the copied text in the notification(575 bytes instead of 7), you won't notice anything abnormal, until pasted in the terminal.
If not allowing even the CSS, then there's something visible on the left when "ls -lat" is selected(actually when the space in-between is selected) which gives it away. I attached the 3 pictures for this case.
(Not attaching screenshot for when allowing (only) CSS from www.blogger.com because it's obvious that it looks normal and you can't see the hidden text.)
[1] https://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html