Apparently some scammers are impersonating players’ friends and guild members who then ask on flimsy pretenses for the user to post a “/run” command into the game’s chat box. Doing so on the askance of a stranger is akin to opening up an unknown email attachment, as it triggers a script designed or used by the scammer to siphon gold away from the player.
One Redditor delivers some clarification on how this script operates:
Found parts of the script, but not all of it. It works by replacing a global function that gets called (by the vanilla chat frame) whenever a message is received, with a function that runs the message as if it had been written after /run by the receiver. It allows them to remotely script your UI. The piece of code they whisper you after you input the seemingly harmless /run hooks it up to the chat message event, allowing them to hide any script messages. Meaning they can do anything an addon can, but remotely without you knowing it.
A /reloadui should get rid of it, but until that is done they can use your client for whatever they want, as long as it fits in a whisper.
Edit: This is all with the vanilla UI, no addons needed. It would be easy for Blizzard to fix this particular instance, but they won’t really be able to protect against scams like this. There’s always going to be some other piece of code someone can tell you to input. The best thing they can do is to disable /script and /run as commands until the player opts in through a setting or something, and put a huge warning on the opt-in to not enable it unless they are absolutely sure they want to.