Patrick Wardle, Objective-See (via Michael Tsai):
Once the target is visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the achieve will be automatically unzipped, as Apple thinks it’s wise to automatically open “safe” files.
This is a pretty long read, but it all comes down to the way macOS Safari treats downloaded files, and one specific setting in Safari Preferences:
Preferences > General > Open “safe” files after downloading
Here’s a picture of that setting, a checkbox down at the bottom of the General tab. I’ve unchecked mine. You might want to take a look at yours.
Key to all this is the word archives at the end. That includes .zip files, which can contain, well, bad stuff.
Read the linked article. As I said, I’ve unchecked my setting, have not yet encountered a problem set that way. This as bad as it seems?
UPDATE: This issue has, apparently, been around since the dawn of time, but that the default is supposed to be unchecked. I just unboxed a new Mac, factory settings, no migration, and the setting was on/checked. Public version of High Sierra.