Detect ClickFix-style Terminal-paste social engineering on macOS endpoints

Add detection for Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile, anomalous LaunchAgent / LaunchDaemon plist creation outside /Applications and /Library/Application Support/<vendor> paths, and Keychain-API access by processes without UI entitlements (Microsoft Security Blog, 2026-05-06). Brief end-users that Base64 Terminal-paste prompts on utility-installation pages are a malware delivery technique.