Cybercriminals Bypass Apple’s New Terminal Security with ClickFix Variants
In March 2026, Apple introduced a security feature in macOS Tahoe 26.4 designed to protect users from malicious commands pasted into the Terminal application. This update aimed to combat the rising threat of ClickFix attacks, a prevalent method where users are deceived into executing harmful code.
Understanding ClickFix Attacks
ClickFix is not a specific malware but a social engineering technique that persuades users to run malicious commands, often leading to the installation of infostealers or trojans like Atomic Stealer. The method gained traction in 2025 following Apple’s release of macOS Sequoia, which restricted users from bypassing Gatekeeper to open unsigned or unnotarized software. This change diminished the effectiveness of fake DMG installers, prompting cybercriminals to adopt ClickFix due to its simplicity and ability to circumvent Gatekeeper without a signing certificate.
Apple’s Security Enhancement
To counteract ClickFix, Apple implemented a warning prompt in macOS Tahoe 26.4’s Terminal. When users paste potentially harmful commands, the system displays a message:
> Possible malware, Paste blocked. Your Mac has not been harmed. Scammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy. These instructions are commonly offered via websites, chat agents, apps, files, or a phone call.
This alert aims to prevent users from inadvertently executing malicious code.
Cybercriminals’ Adaptation
Despite Apple’s efforts, malware developers have devised methods to bypass this security measure. Jamf Threat Labs reported a new ClickFix variant that avoids using Terminal altogether. Instead, attackers create counterfeit Apple-themed webpages, such as a Reclaim disk space on your Mac page, featuring an Execute button. Clicking this button triggers an `applescript://` URL scheme, prompting the user to open Script Editor with a pre-filled script. If the user proceeds, the script executes, downloading and installing malware like Atomic Stealer.
This method effectively circumvents the Terminal paste warning, as the malicious command is executed through Script Editor. While Script Editor does present an unidentified developer prompt before saving the script, users may overlook this warning, especially if they believe they are interacting with legitimate Apple content.
The Ongoing Security Battle
The rapid adaptation by cybercriminals highlights the continuous struggle between security measures and malicious actors. As Apple enhances its defenses, attackers develop new strategies to exploit system vulnerabilities and user trust.
Protecting Yourself
To safeguard against such threats:
– Verify Sources: Only download software and execute commands from trusted and official sources.
– Be Cautious with Prompts: Exercise caution when prompted to open applications or execute scripts, especially from unfamiliar websites.
– Stay Informed: Keep abreast of the latest security threats and updates to recognize and avoid potential scams.
– Update Regularly: Ensure your operating system and security software are up to date to benefit from the latest protections.
By remaining vigilant and informed, users can better protect themselves against evolving cyber threats.
