Mac Script Editor becomes new entry point for ClickFix malware
ClickFix attacks targeting Mac users now use Script Editor instead of Terminal, a shift that sidesteps Apple's latest protections and streamlines the attack. ClickFix tricks the user Apple introduced command scanning for pasted input in macOS 26 .4, which added friction to earlier versions of the attack. Attackers now avoid that step by replacing copy-and-paste instructions with a guided workflow that launches Script Editor directly. Jamf says the campaign delivers a payload identified as a variant of Atomic Stealer through a fake system cleanup process. ClickFix attacks have traditionally relied on persuading users to copy and paste malicious commands into Terminal. Continue Reading on AppleInsider | Discuss on our Forums
What happened?
ClickFix attacks targeting Mac users now use Script Editor instead of Terminal, a shift that sidesteps Apple's latest protections and streamlines the attack. ClickFix tricks the user Apple introduced command scanning for pasted input in macOS 26 .4, which added friction to earlier versions of the attack. Attackers now avoid that step by replacing copy-and-paste instructions with a guided workflow that launches Script Editor directly. Jamf says the campaign delivers a payload identified as a variant of Atomic Stealer through a fake system cleanup process. ClickFix attacks have traditionally relied on persuading users to copy and paste malicious commands into Terminal. Continue Reading on AppleInsider | Discuss on our Forums
Story details
ClickFix attacks targeting Mac users now use Script Editor instead of Terminal, a shift that sidesteps Apple's latest protections and streamlines the attack.
ClickFix tricks the user Apple introduced command scanning for pasted input in macOS 26 .4, which added friction to earlier versions of the attack.
Attackers now avoid that step by replacing copy-and-paste instructions with a guided workflow that launches Script Editor directly.
Why it matters
This page keeps Apple rumors separate from official updates, so readers can follow early reports without confusing them with confirmed announcements.