Recurring Safari scam pop-ups persist on Mac after reinstall

Thank you for the advice and for sharing your expertise. I truly appreciate the time and effort volunteers contribute to this forum. For clarity, all of the steps suggested have already been completed, as detailed in my opening post. I am now focusing on determining whether this intermittent pop-up is web-based, and I’m seeking input from other Mac users who may have encountered similar behavior and resolved it.

I’m aware there are two very different viewpoints regarding antivirus software on macOS, and I don’t intend to re-enter that debate. I’m fully familiar with macOS’s built-in security architecture — XProtect, MRT, Gatekeeper, SSV, SIP, and the read-only system volume — and I also recognize that macOS has become a much more common target for browser-level attacks, malvertising chains, and script-based redirects. For clarity: the pop-ups in question appeared after a clean installation of macOS, before any third-party tools or utilities were installed. Bitdefender was simply one of many diagnostic methods I tried after the issue had already occurred. It represented a very small portion of the overall troubleshooting process and has since been completely removed from the system.

My question is not about antivirus software, nor about whether Macs “need” it. My focus is specifically on web-based attack vectors — malvertising, injected JavaScript, redirect scripts, or compromised ad-delivery frames — and whether anyone here has encountered a similar persistent pop-up behavior that survived a clean OS install and standard browser resets. I’m currently waiting for the next occurrence so I can capture the initiating script and request chain using Safari’s Web Inspector (Network → Preserve Log) to analyze the referrer and event origin. What I’m looking for is insight from users who have dealt with similar browser-level behaviors and successfully identified or resolved them.

I think the discussion has drifted away from my original question, so let me clarify the context to keep things focused. The pop-ups began before any antivirus software was installed — they appeared immediately following a clean installation of macOS and the creation of a fresh user environment. Bitdefender was only added later as a diagnostic tool after the issue already existed, and it has since been fully removed. Whether macOS does or doesn’t need antivirus software is not the topic here, and it isn’t relevant to the underlying issue I’m trying to resolve.

What I’m specifically asking is this: has anyone experienced a persistent, browser-based pop-up or redirect that survived a clean macOS installation, and if so, how was it identified or resolved? I’m trying to determine whether this is a web-based attack vector, likely coming from a particular site or injected script. If anyone has experience with malvertising, JavaScript-based redirects, compromised ad-chains, or diagnosing such behavior through Safari’s Web Inspector, that is the type of input I’m hoping to gather. Thank you.

Thanks for the reply, but I want to clarify a few important points:

1. Bitdefender was not the cause of this issue.

I only installed Bitdefender after these pop-ups started. The pop-up was so persistent that I installed Bitdefender as a reaction, not the other way around. So uninstalling it doesn’t address the underlying problem, because the behavior pre-dated any third-party security software on my Mac.

2. I’ve already worked through the steps in the link you provided.

I want to stress that again: I’ve already cleared Safari history, removed website data, turned off notifications, checked extensions, reset Safari, and restarted in Safe Mode. None of that resolved the issue. This wasn’t leftover adware. This was a clean system that suddenly began showing persistent, fullscreen pop-ups that effectively “took over” Safari until I force-quit it.

3. My concern is understanding the root cause.

Since this began happening before any antivirus was installed and after I had already cleaned Safari, I’m trying to determine whether this is being triggered by a specific website, some kind of aggressive script, or something else in the network chain. I’ve confirmed the router DNS has been changed, and the same DNS is reflected on the other devices in the house.

I’m not disputing that macOS has strong security or that true viruses don’t replicate on it. I’m simply trying to understand why a fully updated, clean system is getting a persistent fullscreen browser takeover that doesn’t behave like a typical one-off adware pop-up.

Owl-53: I appreciate your responses, but nothing you’re suggesting will resolve this, as I have already completed all of these steps. As Albert Einstein is often quoted, the definition of insanity is doing the same thing over and over and expecting a different result. Thank you for your help. For clarity, this is not a Tahoe-based issue. I’m seeking insight from the broader experience of this forum to determine if this is a web-based attack, and if so, what can be done to stop it (aside from the obvious step of avoiding the website).

My next step will be to monitor the pop-up in real time using Safari’s Web Inspector. I plan to examine the Network tab to capture all scripts and network requests triggered when the pop-up appears, including any external domains, JavaScript files, or ad network calls responsible for delivering it. This should allow me to precisely identify the source of the pop-up without having to rely on system-level troubleshooting.

I’m simply trying to determine here if anybody else using macOS 26 Tahoe has experienced this kind of web-based pop-up, how they resolved it, and whether it is indeed tied to website scripts rather than the operating system itself.

Thank you for sharing your setup and experience. I appreciate the detailed context regarding your devices, Safari version, and installed extensions. My situation differs in a few key ways: this pop-up has appeared even on a completely fresh installation of macOS 26 Tahoe, with no third-party software, extensions, or VPNs installed. All system- and user-level variables have been eliminated, including a clean user account, purged LaunchAgents and LaunchDaemons, and verified SIP and sealed system volume integrity.

The fact that this occurs only on my Mac and not on your multiple clean devices strongly points toward a web-based vector, likely triggered by specific sites or scripts rather than the operating system itself. My next step is to capture the pop-up via Safari’s Web Inspector to identify the originating network requests and scripts. I’m seeking input from users who may have experienced similar web-based behavior, as system-level troubleshooting alone has not resolved the issue.

Mac Jim D: Thank you for the detailed response — I appreciate it.

Just to clarify where things stand: all of the Safari-level settings you’ve mentioned have already been reviewed and adjusted, including Pop-Up Windows, Tabs behavior, Website permissions, and Notifications (none allowed). I have also performed a full clean installation of macOS 26 Tahoe without restoring from Time Machine, and the first occurrence of the pop-up happened before any third-party software was installed.

Because of that, the usual causes — notifications, pop-up permissions, extensions, or EtreCheck-detectable hijackers — appear to be ruled out in this case.

At this point, I’m trying to determine whether anyone has encountered a webpage-based script or malvertising trigger that behaves similarly after a full clean install with no third-party components involved. If I can capture the event via Web Inspector > Network (with Preserve Log enabled), I will absolutely share the source, as I agree it would be useful to the community.

Thanks again for taking the time to respond.