- A ClickFix malware attack was found on FBI Director Kash Patel’s BasedApparel.com, targeting macOS users with fake Cloudflare verification.
- The ClickFix malware attack tricks users into pasting a hidden malicious command into Terminal, stealing browser credentials and crypto wallet data.
- 27 antivirus engines on VirusTotal flagged the payload as malicious, classifying it as a Trojan infostealer written in AppleScript.
- Apple is adding a Terminal paste-protection safeguard in macOS Tahoe 26.4 that would stop exactly this type of attack.
Table of Contents
FBI Director’s Merch Site Hit by Shocking ClickFix Malware Attack
The ClickFix malware attack discovered on FBI Director Kash Patel’s merchandise website is a stark reminder that no site is too prominent to be targeted. BasedApparel.com — a brand co-owned by Kash Patel and Andrew Ollis — was caught hosting a sophisticated social engineering scheme designed to steal credentials from macOS users. The uncomfortable irony of finding a ClickFix malware attack on a site linked to the FBI’s own director is hard to overstate.
The attack was first spotted on a Thursday by a user based in Portugal. Visitors to the site were shown a fake Cloudflare verification page — a hallmark of the ClickFix malware attack technique — that instructed them to open Terminal and paste in a command. That command, invisible to most users, silently executed a malicious AppleScript payload designed to harvest browser credentials and cryptocurrency wallet data.
This style of ClickFix malware attack is particularly dangerous because it bypasses most conventional browser-based defenses. Rather than exploiting a software vulnerability, it exploits human trust. Users believe they are completing a routine bot-verification step. Instead, they hand attackers direct access to their most sensitive stored data.
How the ClickFix Malware Attack Works on macOS
The ClickFix malware attack method has grown increasingly common as a way to target macOS users, who have historically been considered less vulnerable than Windows users. The attack flow is deceptively simple. A fake Cloudflare CAPTCHA page tells the visitor that verification requires a manual step. The user is prompted to press a keyboard shortcut, which silently copies a malicious command to the clipboard. They are then told to open Terminal and paste the command.
Once pasted and executed, the payload runs as an AppleScript infostealer. It searches the system for stored browser credentials, saved passwords, and cryptocurrency wallet files, then transmits that data to an attacker-controlled server. The entire process takes seconds and leaves most users completely unaware anything went wrong.
In this specific ClickFix malware attack on BasedApparel.com, 27 out of the antivirus engines tested on VirusTotal flagged the payload as malicious. It was classified as a Trojan infostealer — a category of malware specifically engineered to extract and exfiltrate personal and financial data.
Why This ClickFix Malware Attack Matters Beyond the Irony
The connection to the FBI director makes headlines, but the broader implications of this ClickFix malware attack are significant for any website owner or visitor. Legitimate, high-profile websites can be compromised and used as delivery vehicles for malware without the site owners’ knowledge. Visitors reasonably extend trust to recognizable brands, and attackers exploit exactly that trust.
The BasedApparel.com incident also highlights how quickly a ClickFix malware attack can slip past standard security monitoring. The site’s operators apparently had no idea the malicious page was live until an external researcher flagged it. This is consistent with how ClickFix campaigns operate — injecting or redirecting to a rogue page that mimics trusted services like Cloudflare.
Apple is responding to this class of threat. The company is adding a Terminal paste-protection safeguard in macOS Tahoe 26.4. That feature would alert users before executing a pasted command in Terminal, which would directly interrupt the ClickFix malware attack chain before the payload runs. Security researchers have welcomed the addition, noting it addresses a technique that has been abused across dozens of campaigns in the past year. You can read more about macOS security developments at Apple’s official security updates page.
Until that protection is widely deployed, the best defense against a ClickFix malware attack remains awareness. Users should treat any website instruction to open Terminal and paste a command as a serious red flag, regardless of how official the surrounding page appears. No legitimate service requires this step for bot verification.
What Site Owners Can Do to Prevent a ClickFix Malware Attack
The BasedApparel.com case is a warning for every website operator. A ClickFix malware attack does not require the site owner to be negligent — attackers can inject malicious redirects through compromised third-party scripts, ad networks, or vulnerable plugins. Any of these entry points can silently transform a trustworthy page into a credential-harvesting trap.
Site owners should conduct regular audits of all third-party scripts loaded on their pages. Implementing a strict Content Security Policy (CSP) can limit the ability of injected scripts to redirect users or load external resources. Monitoring tools that alert on unexpected page changes provide an early warning layer that can catch a ClickFix malware attack before it affects large numbers of visitors.
For visitors, the rule is straightforward: never open Terminal or a command prompt at a website’s instruction. Legitimate Cloudflare verification, or any other bot-detection service, never requires pasting commands into a system terminal. Treating that request as an automatic red flag — no matter how polished the surrounding page looks — is the single most effective personal defense against this growing class of social engineering threat.
Source: Hacker News
