← All stories

Infosecurity Magazine

Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings

2026-04-09 · Read original ↗

ATT&CK techniques detected

5 predictions

T1204.004Malicious Copy and Paste

96%

"atomic stealer macos clickfix attack bypasses apple security warnings a malware campaign which targets macos systems, distributed using a clickfix attack, has evolved to exploit script editor as the execution vector rather than the typical terminal - based point of execution. ide…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.004Malicious Copy and Paste

92%

"editor, which is where the user is encouraged to enter the commands. a new method to avoid macos security warnings apple attempted to counter clickfix attacks in the macos 26. 4 update by introducing a security feature that scans commands pasted into terminal before they ' re exe…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.004Malicious Copy and Paste

86%

"asked to follow step - by - step instructions to supposedly reclaim the disk space on their mac, which leads them to open script editor and paste in what are in fact malicious commands which execute the malware payload and infect the victim ’ s system. “ by shifting execution fro…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

53%

"asked to follow step - by - step instructions to supposedly reclaim the disk space on their mac, which leads them to open script editor and paste in what are in fact malicious commands which execute the malware payload and infect the victim ’ s system. “ by shifting execution fro…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.001Malicious Link

49%

"editor, which is where the user is encouraged to enter the commands. a new method to avoid macos security warnings apple attempted to counter clickfix attacks in the macos 26. 4 update by introducing a security feature that scans commands pasted into terminal before they ' re exe…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

macOS 26.4 update introduced security warnings into Terminal to prevent ClickFix attacks, so attackers have shifted to Script Editor instead