EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

New ClickFix malware variant uses macOS Script Editor to deliver Atomic Stealer

Evidence first: scan the strongest sources, then decide whether to go deeper.

redditrss
malwaremacosexploitsincident_response
Trend in the last 24h
Archive source links paid
Current signal detail is open. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (4)Get the free brief by emailStart free trial
No card needed for the free brief.
Top sources
  • CSO Online - New ClickFix variant bypasses Apple safeguards
    csoonline.com
  • Atomic Stealer malware abuses macOS Script Editor in new ClickFix attack
    SC Media
  • Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings
    Infosecurity Magazine
  • ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer (via Reddit)
    jamf.com
Overview

A new variant of the ClickFix malware campaign bypasses Apple’s Terminal security warnings by exploiting the macOS Script Editor via the applescript:// URL scheme.

Entities
AppleJamf Threat LabsClickFixAtomic Stealer
Score total
1.61
Momentum 24h
4
Posts
4
Origins
4
Source types
2
Duplicate ratio
0%
Why now
  • Recent macOS 26.4 update introduced Terminal security warnings, prompting attackers to adapt.
  • The new ClickFix variant demonstrates rapid attacker innovation to circumvent Apple’s protections.
  • Understanding this shift is critical for defenders to update detection and response strategies.
Why it matters
  • Attackers bypass macOS Terminal security warnings by exploiting Script Editor, increasing infection success.
  • The one-click execution reduces user hesitation, making malware delivery more seamless and stealthy.
  • Atomic Stealer continues to threaten macOS users by harvesting credentials through evolving tactics.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • ClickFix malware now uses macOS Script Editor via applescript:// URL scheme to bypass Terminal security warnings and deliver Atomic Stealer.
How sources frame it
  • CSO Online: neutral
  • Infosecurity Magazine: neutral
  • Jamf Threat Labs: neutral
All evidence
All evidence
CSO Online - New ClickFix variant bypasses Apple safeguards
csoonline.com
Atomic Stealer malware abuses macOS Script Editor in new ClickFix attack
SC Media
Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings
Infosecurity Magazine
ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer (via Reddit)
jamf.com
Show filters & breakdown
Posts loaded: 0Publishers: 4Origin domains: -Duplicates: -
Showing 4 / 0
Top publishers (this list)
  • csoonline.com (1)
  • SC Media (1)
  • Infosecurity Magazine (1)
  • jamf.com (1)
Top origin domains (this list)
  • Unknown (4)