Mac users are facing a more sophisticated wave of attacks — one that sidesteps Apple’s latest security upgrades by shifting tactics rather than abandoning them.
Security researchers at Jamf Threat Labs have identified a new variation of the ClickFix attack, a technique historically reliant on tricking users into pasting malicious commands into Terminal. That method has now been disrupted by protections introduced in macOS 26.4, which scans pasted commands before execution.
Instead of retreating, attackers adapted.
They’ve moved to a lesser-scrutinised entry point: Script Editor — a built-in macOS tool designed to automate tasks using AppleScript and JavaScript. While legitimate in purpose, it has long been known within cybersecurity circles as a potential vector for abuse.
“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here isn’t surprising,” researchers noted. “What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”
That shift matters. It removes friction from the attack process.
Rather than asking users to manually copy and paste code — a step that can trigger suspicion — attackers now guide victims through a more seamless flow. It begins with a seemingly harmless website offering to “reclaim disk space” on a Mac. A single click on an “Execute” button triggers a custom link, known as a URL scheme, which opens Script Editor with a pre-filled script ready to run.
“This approach reduces direct user interaction,” Jamf explained. “The user is guided from a webpage into a pre-populated Script Editor window rather than entering commands in Terminal.”
The end result remains the same — but the path is more convincing.
Once executed, the script installs Atomic Stealer, a known infostealer capable of extracting sensitive data, including:
• Passwords stored on the device
• Cryptocurrency wallet information
• Browser data and saved credentials
This evolution highlights a broader pattern in cybersecurity. When companies close one door, attackers don’t stop — they look for another way in. Apple’s update successfully addressed one vulnerability, but it also forced bad actors to innovate.
For users, the takeaway is less about technical detail and more about behaviour. Would you click “Execute” on a webpage promising a quick system fix? Would you approve a prompt to open a system tool without fully understanding why?
The attack succeeds not because of a flaw in a single feature, but because it blends into normal user actions.
That raises a critical question: as security systems become more advanced, are attackers getting better at exploiting human trust instead?
Avoiding this type of threat comes down to a few disciplined habits:
• Treat unsolicited “fix” tools with scepticism
• Avoid running scripts or system prompts triggered by websites
• Verify actions before approving system-level access
Mac devices have long carried a reputation for strong security. Campaigns like this don’t overturn that — but they do underline a shift. The battleground is no longer just code. It’s user behaviour.
Author: George Nathan Dulnuan