惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Register - Security
The Register - Security
A
About on SuperTechFans
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LangChain Blog
N
Netflix TechBlog - Medium
量子位
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
H
Help Net Security
D
Docker
D
DataBreaches.Net
T
Tailwind CSS Blog
阮一峰的网络日志
阮一峰的网络日志
B
Blog
博客园 - 聂微东
Apple Machine Learning Research
Apple Machine Learning Research
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
F
Full Disclosure
GbyAI
GbyAI
F
Fortinet All Blogs
Last Week in AI
Last Week in AI
Y
Y Combinator Blog
人人都是产品经理
人人都是产品经理
Recent Announcements
Recent Announcements
博客园 - Franky
MongoDB | Blog
MongoDB | Blog
有赞技术团队
有赞技术团队
博客园 - 叶小钗
小众软件
小众软件
V
Visual Studio Blog
月光博客
月光博客
Stack Overflow Blog
Stack Overflow Blog
The GitHub Blog
The GitHub Blog
Recorded Future
Recorded Future
J
Java Code Geeks
雷峰网
雷峰网
P
Privacy & Cybersecurity Law Blog
C
Cisco Blogs
C
Cyber Attacks, Cyber Crime and Cyber Security
AWS News Blog
AWS News Blog
Webroot Blog
Webroot Blog
美团技术团队
N
News | PayPal Newsroom
G
Google Developers Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
博客园_首页
V
Vulnerabilities – Threatpost

The Register - Security: Cyber-crime

Election interlopers register 5K+ domains, hope to catch some voting phish Palo Alto VPN bug graduates from advisory to active exploitation ShinyHunters adds Charter to trophy shelf after 4.9M customer records leak Carnival confirms ShinyHunters cruised off with 6M customer records after April breach CrowdStrike, Google shatter Glassworm botnet MyPillow must decide whether to be firm or soft as ransomware crims demand pay A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets Shai-Hulud copycat worm infects yet another npm package Grafana Labs admits all its codebase are belong to someone who popped its GitHub account Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data Malware crew TeamPCP open-sources its Shai-Hulud worm on GitHub Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files Cache-poisoning caper turns TanStack npm packages toxic 'CopyFail' attackers start cashing in on Linux flaw Cushman & Wakefield confirms vishing cyberattack ShinyHunters claims dump puts 119K Vimeo emails in the wild ShinyHunters claims 119K Vimeo emails in the wild Critical cPanel exploited: 'Millions' of sites could be hit Pro-Iran group turns Ubuntu DDoS into shakedown French prosecutors link 15-year-old to gov mega-breach UK business breach rate stuck at 43%... blame the phishing What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia Chinese spy group caught lurking in Poland, Asia networks Don’t pay VECT a ransom - your big files are likely gone Pitney Bowes the latest victim of ShinyHunters’ breach-spree Ongoing supply-chain attack targets security, dev tools Medical and utility tech companies admit digital breakins Burglar alarm biz gets burgled, ShinyHunters pursues ransom Crime crew impersonates help desk, abuses Teams chats ShinyHunters claim they have cruise giant Carnival’s booty CISA, NCSC issue Firestarter backdoor warning 500k Biobank volunteers' data listed for sale on Alibaba Another npm supply chain worm hits dev environments France's 'Secure' ID agency probes breach as crooks claim 19M records France's 'Secure' ID agency probes claimed 19M record breach macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords Third ransomware pro pleads guilty to cybercrime U-turn AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account AI-pwned: Vercel breach traced to stolen employee creds Crook claims to leak 'video surveillance footage' of companies Crook claims to leak 'video surveillance footage' of firms Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Adaptavist Group breach: Ransomware crew claims mega-haul Scot becomes second Scattered Spider-linked crook to plead guilty in US US gets second Scattered Spider-linked guilty plea North Korea targets macOS users in latest heist McGraw Hill linked to 13.5M-record data leak McGraw Hill linked to 13.5M-record data leak Autovista blames ransomware for service disruption Autovista blames ransomware for service disruption No honor among thieves as 0APT threatens rival ransomware gang Krybit 0APT ransomware gang extorts Krybit amid doxxing threat Fake Linux leader using Slack to con devs into giving up their secrets Fake Linux Foundation leader using Slack to phish devs Booking.com warns of possible reservation data exposure Booking.com warns of possible reservation data exposure Gym giant Basic-Fit breached with at least 1M affected US, UK, Canadian cops disrupt $45M global crypto scam www.theregister.com Old Adobe Reader zero-day uses PDFs to size up targets Zephyr Energy loses £700K to contractor payment fraud Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns Russia's APT28 behind latest wave of router, DNS attacks AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack Mercor says it was 'one of thousands' hit in LiteLLM attack Telnyx package latest hit in PyPI supply-chain compromise Telnyx package latest hit in PyPI supply-chain compromise European Commission admits breach of public web systems European Commission admits breach of public web systems AFC Ajax drops ball as hackers transfer tickets, lift bans AFC Ajax drops ball as hackers transfer tickets, lift bans HackerOne slams supplier for delayed breach notice after staff data exposed HackerOne slams supplier over delayed breach notice Russian initial access broker jailed for 81 months in US Russian initial access broker jailed for 81 months in US Smooth criminals talking their way into cloud environments, Google says Chip tester shrugged off ransomware – then came the leak Chip tester shrugged off ransomware – then came the leak Russians posing as Signal support to launch phishing raids JLR cyber bailout risks dangerous precedent, watchdog warns Unknown attackers exploit yet another critical SharePoint bug Microsoft Intune: Lock it down, warn feds after Stryker Ransomware crims abused Cisco 0-day weeks before disclosure North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un Robotics surgical biz Intuitive discloses phishing attack Cybercrime up 245% since the start of the Iran war AI-driven fraud far more profitable, Interpol warns Credential-stealing crew spoofs Ivanti, Fortinet, Cisco VPNs Interpol sinkholes 45,000 IPs linked to global cybercrime SocksEscort fraud-enabling proxy service taken down CISA warns max-severity n8n bug is being exploited in the wild Iran-linked cyber crew claims hit on US med-tech firm Meta, cops deploy AI and handcuffs in scam crackdown Dutch police collar teen over string of bank card frauds EU law advisor wants cybercrime protections fast-tracked Cybercrime isn't just a cover for Iran's government goons Crooks compromise WordPress sites, spread infostealers Ericsson breach blamed on third party vendor vishing attack Polish cyber police busts gang of alleged teen DDoS peddlers
macOS ClickFix attacks deliver AppleScript stealers
Jessica Lyons Jessica Lyons · 2026-04-21 · via The Register - Security: Cyber-crime

Cyber-crime

macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets

Data from browsers, cryptocurrency wallets, 200+ extensions hoovered up

A ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.

Netskope Threat Labs researcher Jan Michael Alcantara told The Register the team initially observed the campaign last month, and has seen similar instances as recently as last week.

ClickFix is a super popular social engineering tactic used to trick people into executing malicious commands on their own computers, usually by clicking a fake computer problem fix or CAPTCHA prompt.

While the researchers don't know who the cookie thief is, they note the malware can infect both Windows and macOS machines - Netskope previously warned about the Windows-focused attacks - by using a client-side JavaScript to filter victims by user-agent, ignoring mobile devices and directing desktop users to either a Windows or macOS-specific payload.

Victims, we're told, are in Asia and work in the finance sector.

Upon detecting a desktop environment, the malware directs users to a fake CAPTCHA page, performs another inspection to determine the specific desktop OS, and then checks for macOS-specific strings within the user-agent that are used to load the AppleScript-based stealer.

The fake CAPTCHA prompts the user to open Spotlight on their Mac, and then paste a "verification code" into the search feature. The phony code is a curl command, and as soon as the victim hits Enter and executes it on their computer, the command silently downloads a malicious script from the attacker-controlled server. The script collects the victim's username, hardcodes the command-and-control (C2) server address, and creates a temporary directory at /tmp/xdivcmp/ to stage all of the stolen data before sending it to the C2.

Apple did not respond to The Register's inquiries for this story, but it's important to note that the latest versions of macOS Tahoe (26.4) or macOS Sequoia include a new feature designed to block ClickFix attacks. It alerts users when they attempt to paste potentially malicious commands into the Terminal application, so update your operating system to help detect and prevent these types of ClickFix attacks.

But if a user is running an older OS version, or for some reason ignores the macOS warning and clicks the "paste anyway" option, the malware moves on to the credential-harvesting stage by deploying a very sneaky social engineering dialog box that loads the authentic macOS system lock icon from local resources. Users see the lock, think it's a legit Apple dialog box, and then enter their system password.

The malware also takes extreme measures to force credential entry. It only has a single action button - there's no option for users to close the dialog box window - and it keeps reappearing until the victim enters a valid password. 

This is what the malware steals

User passwords are validated in real time, using macOS's directory services authentication, and if incorrect, the dialog box reappears, with this loop continuing until the person provides a correct password.

Next, it snarfs up all sorts of user data, including the macOS Keychain (which stores saved passwords, Wi-Fi credentials, secure notes, and cryptographic keys), while the malicious dialog loop captures the victim’s password in plaintext.

The stealer also targets 12 Chromium-based browsers: Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Chrome Beta, Chrome Canary, Chromium, Chrome Dev, Arc, and CocCoc. For each of these, it searches user profiles and steals session tokens, authentication cookies, saved passwords and other autofill info including credit card numbers, data from more than 200 browser extensions, and extension databases.

This browser-extension theft is especially insidious as the miscreants' malware is configured to swipe details from cryptocurrency wallets including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and dozens of blockchain-specific ones. It also collects password manager credentials from LastPass, 1Password, Dashlane, Bitwarden, two-factor authentication apps including Authy and Google Authenticator extensions, and various VPN and single sign-on extensions used for corporate access.

In addition to the Chromium browser data, the malware steals cookie databases, form-autofill data, master passwords, and saved credentials from Firefox and Waterfox, another Firefox-based browser.

And beyond browser extensions, the stealer targets 16 standalone desktop cryptocurrency wallet applications: Exodus, Atomic, Electrum, Coinomi, Guarda, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, Dogecoin Core, Monero, Wasabi, Sparrow, Electron Cash, and Electrum-LTC.

Alcantara told us that this infostealer campaign is unrelated to one that also targeted macOS users' credentials and cryptocurrency wallets that Microsoft last week attributed to North Korean criminals despite similar techniques - such as using social engineering even when malware is running.

Netskope has published a full list of indicators of compromise and scripts related to this malware in its GitHub repository, so give that a read. And as the threat hunters note, "this campaign serves as a reminder that social engineering remains a primary threat to both Windows and macOS users." ®