[mindcrash]

Unless it was user-disabled Gatekeeper (https://support.apple.com/guide/security/gatekeeper-and-runt...) is running on your system to prevent malware infection when you have accidentally opened a malicious app, so you should be fine either way.

[TZubiri]

If you just downloaded it but didn't open the file, you are not infected.

[viraptor]

Most likely that's correct. Unless there exists some MacOS issue where just loading the thumbnail or metadata from that file would lead to exploit. It's extremely unlikely that's the case of a 0-click unpatched exploit on a random public file, but just wanted to note this for completeness - if you're paranoid about this case for some reason, it's possible in theory.

[krackers]

macOS does have quicklook generators, and the system seems very eager to register things with launchServices even before the app has been opened once. Perhaps this has been tightened on recent macOS versions, but otherwise it seems theoretically possible to get code running in a "0-click" fashion, simply by mounting a DMG which contains an app with a qlgenerator and another file with matching file type.

[dinkblam]

Even if you mount the DMG, there is no infection. You'd need to launch the malicious app.

Edit: its not an app but a command-line binary with ad-hoc signature.

[JoeyBananas]

protip, install software using a package manager from a reputable package repository

[arghtw]

Use homebrew next time :)

[neglesaks]

ChatGPT is a terrible source of info of security related topics.