Skip to content
Tech News
← Back to articles

Security Bite: ClickFix malware authors already bypassing Apple’s new Terminal paste warning

2026-04-18 | original
read original get Malwarebytes Anti-Malware → more articles
Why This Matters

Despite Apple's efforts to enhance security with new Terminal paste warnings in macOS Tahoe 26.4, malware developers are already finding ways to bypass these protections, highlighting the ongoing arms race between security measures and cybercriminals. This underscores the importance of continuous vigilance and advanced security solutions for both consumers and organizations in the Apple ecosystem.

Key Takeaways

9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

As you may know, a couple weeks ago on Security Bite I was raving about Apple’s new warning prompt in Terminal that appears when a user pastes potentially malicious commands. The security feature was bundled into the public release of macOS Tahoe 26.4 to further disrupt ClickFix attacks, which are now the leading delivery mechanism for malware on Mac.

However, it now appears malware authors are already deploying workarounds.

While the payload it drops is almost always an infostealer or trojan like Atomic Stealer, ClickFix itself isn’t a malware family but a delivery technique that largely relies on social engineering. It typically works by tricking an unsuspecting user into pasting malicious code into Terminal and running it.

Its soaring popularity came in 2025 after Apple released macOS Sequoia, which took a proactive step to help keep Joe Shmoes from executing malware on their Macs. Users on Sequoia could no longer right-click to override Gatekeeper and open software that isn’t signed or notarized by Apple. They now had to go into Settings, then Privacy, and “review security information” before being able to run it. The additional steps and hassle are a far cry from the ease malware authors were used to.

Fake DMG installers took a big hit after that, but ClickFix since emerged because it’s cheap, fast, and still bypasses Gatekeeper without needing to obtain a signing certificate.

Now in a recent blog post from Jamf Threat Labs, its security researchers detail a new ClickFix variant that sidesteps Terminal with Apple’s new protections entirely.

Instead of pushing users to paste a command into Terminal, one example from Jamf includes a fake Apple-themed webpage (spoofed as a “Reclaim disk space on your Mac” page) that features an “Execute” button. Clicking it fires an applescript:// URL scheme in the browser, which prompts the user to open Script Editor with a pre-filled script already loaded. One more click and it runs.

Fake Apple webpage with “Execute” button to launch Script Editor. Image via Jamf.

Prompt to open Script Editor. Image via Jamf.

... continue reading

Explore topics: clickfix apple macos tahoe atomic stealer terminal
Related:
Report: John Ternus to be ‘decisive’ leader, ‘reinvent’ product lineup as Apple CEO
Apple incoming CEO John Ternus faces a defining challenge: Fixing the company's AI strategy
New era as Apple names new boss to replace Tim Cook after 15 years
The Rise of Apple’s New CEO: A Hardware Expert Takes Over in the AI Era
DOJ shoots back at Apple’s bid to obtain Samsung documents in antitrust case

© 2026 GoKawiil

About | Editorial Policy | Contact