Mac users beware — experts say this attack 'stood out immediately' by making a major change to try spread malware
ClickFix on Macs is evolving yet again
by https://www.techradar.com/uk/author/sead-fadilpai · TechRadarNews By Sead Fadilpašić published 9 April 2026
Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Become a Member in Seconds
Unlock instant access to exclusive member features.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed
Your newsletter sign-up was successful
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
An account already exists for this email address, please log in. Subscribe to our newsletter
- Hackers revive ClickFix attacks on macOS
- New method abuses Script Editor via URL scheme
- Campaign delivers Atomic Stealer to exfiltrate sensitive data
Hackers are adding new twists to the old ClickFix attack to bypass recently introduced macOS protections and still deliver infostealer malware to people’s devices, experts have warned,
Security researchers Jamf Threat Labs recently spotted one such campaign in the wild, having noted that so far, ClickFix attacks on macOS tried to get the victim to copy and paste a command into the Terminal.
However, with macOS 26.4, this method no longer works, since the device scans all pasted commands before they’re executed - so, the miscreants got creative, and found a new point of entry - Script Editor.
Article continues below
Dropping AMOS
Script Editor is a built-in macOS application that lets users write, edit, and run scripts to automate tasks and control apps. It supports AppleScript and JavaScript, allowing users to streamline certain actions without needing to create full software programs.
To get victims to run Script Editor, the attackers used a URL scheme.
“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here isn't surprising,” the researchers wrote. “What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”
A URL scheme is a special type of link that uses a custom prefix to trigger specific actions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors