Malware authors are bypassing new macOS security protections by using a modified ClickFix technique that leverages Apple’s Script Editor to execute malicious code instead of the Terminal app.

Key Points

• Apple recently introduced a Terminal warning prompt in macOS Tahoe 26.4 to block malicious commands pasted by users.
• Jamf Threat Labs discovered a new ClickFix variant that uses fake webpages to trigger an applescript:// URL scheme.
• This method forces the Script Editor to open with pre-filled malicious code, effectively circumventing the Terminal-based security warning.
• Once executed, the script downloads obfuscated payloads, such as the Atomic Stealer, onto the victim's Mac.
• ClickFix has become a popular delivery mechanism for malware because it relies on social engineering rather than requiring signed or notarized software.

Why it Matters

This evolution in delivery tactics highlights the ongoing cat-and-mouse game between Apple and cybercriminals as security features become more robust. Organizations must remain vigilant, as attackers are increasingly shifting their focus toward social engineering and native application vulnerabilities to bypass system-level defenses.