ClickFix attacks targeting Mac users now use Script Editor instead of Terminal, a shift that sidesteps Apple’s latest protections and streamlines the attack.
ClickFix tricks the user
ClickFix tricks the user
Apple introduced command scanning for pasted input in macOS 26.4, which added friction to earlier versions of the attack. Attackers now avoid that step by replacing copy-and-paste instructions with a guided workflow that launches Script Editor directly.
Jamf says the campaign delivers a payload identified as a variant of Atomic Stealer through a fake system cleanup process. ClickFix attacks have traditionally relied on persuading users to copy and paste malicious commands into Terminal.