On the malicious page only the following script is included:
If you copy any text from such a page, the unwanted string always ends up in the clipboard (in this implementation regardless of the copied text). Instead of "evil command" you can now come up with a lot of ugly things. The whole thing becomes fatal if a line break at the end of the line is used to immediately execute the code:
It is also easy to reset the console output so that the user does not immediately notice what he has entered. For example, it is conceivable that when copying a harmless code snippet, one can shoot one's partitions in passing.
If you select the desired text, for example in the latest Firefox (v. 45.0) it is not this text but the text behind it that ends up in the clipboard.
Both methods can be tried out live here. Here the JS variant:
As well as the CSS variant: