A ClickFix campaign targeting macOS users deploys an AppleScript-based infostealer that harvests credentials, session cookies, and cryptocurrency wallet data. The attack uses a fake CAPTCHA page to trick victims into running a curl command via macOS Spotlight, which silently downloads a malicious script. The malware then presents a convincing fake system dialog — complete with the real macOS lock icon — that loops until the victim enters their correct password. It targets 14 browsers, 16 standalone crypto wallet apps, and over 200 browser extensions, stealing keychain data, saved passwords, autofill data, and crypto wallet credentials. Victims are primarily in Asia's finance sector. The latest macOS versions (Tahoe 26.4 / Sequoia) include a new Terminal paste-protection feature to block such attacks. Netskope Threat Labs has published indicators of compromise on GitHub.
Table of contents
This is what the malware stealsSort: