That description is broadly consistent with a real social-engineering pattern, but I cannot independently verify every claim in that quoted text from here.
What it means in practice
A “watering hole” style attack in this context usually means:
- Attackers create a fake or copied documentation page
- The victim believes they are following legitimate install steps
- The page shows malicious terminal or PowerShell commands instead of the real ones
- The malware execution is triggered by the user pasting and running those commands
So the main risk is not a traditional drive-by exploit, but a user being tricked into executing attacker-controlled commands.
Why this is effective
Many developers and power users are used to copying install commands directly from documentation.
If an attacker clones a trusted-looking page well enough, the victim may not notice:
- A slightly different domain
- Modified install instructions
- Extra flags or hidden command chains
- Use of curl, irm, iex, bash, sh, or similar direct execution methods
Commands that download and immediately execute content are especially risky.
Good safety habits
For Windows and macOS, the safest approach is:
- Use only the official vendor domain
- Type the known official URL manually or use a trusted bookmark
- Verify the domain carefully before copying commands
- Avoid one-liners that download and execute in the same step
- Read commands before running them, especially anything involving shell scripts or PowerShell
- Prefer official package managers or signed installers when available
Examples of higher-risk patterns include:
- PowerShell commands using irm, iwr, or iex
- Shell commands piping curl or wget output into sh or bash
- Commands that disable security prompts or change execution policy
If someone already ran a suspicious command
Reasonable next steps would be:
- Disconnect the affected system from the network if compromise is suspected
- Run a scan with reputable security software
- Review startup entries, scheduled tasks, launch agents, and recent downloads
- Change passwords from a clean device if credentials may have been exposed
- Check official documentation to compare the legitimate install steps
- Submit any downloaded file, script, or URL to VirusTotal for additional analysis
If there are signs of active compromise, posting logs in the appropriate MalwareTips malware removal/support section would be the safest next step.
Bottom line
Yes, this is a credible attack method in general: fake documentation pages can trick users into running malicious install commands. The safest defense is to verify the domain and avoid copy-pasting commands that fetch and execute remote content in one step.