惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
爱范儿
爱范儿
人人都是产品经理
人人都是产品经理
博客园 - 司徒正美
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
量子位
罗磊的独立博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
小众软件
小众软件
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
大猫的无限游戏
大猫的无限游戏
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
Simon Willison's Weblog
Simon Willison's Weblog
The Cloudflare Blog
博客园 - 三生石上(FineUI控件)
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园_首页
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
T
The Exploit Database - CXSecurity.com
T
Tailwind CSS Blog
IT之家
IT之家
博客园 - 聂微东
Spread Privacy
Spread Privacy
V2EX - 技术
V2EX - 技术
S
Security Affairs
宝玉的分享
宝玉的分享
V
V2EX
C
Cisco Blogs
博客园 - Franky
美团技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
S
Securelist
J
Java Code Geeks
Webroot Blog
Webroot Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Proofpoint News Feed
Last Week in AI
Last Week in AI
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
WordPress大学
WordPress大学
W
WeLiveSecurity
T
Threatpost
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
阮一峰的网络日志
阮一峰的网络日志

Comments for The Eclectic Light Company

Should you try Golden Gate beta? Solutions to Saturday Mac riddles 367 In the shadow: Diego Velázquez Comment on Last Week on My Mac: Freshen up your documents by David Comment on Happy 250th birthday America 2 by mac Happy 250th birthday America 1 Brushstrokes: Portraits 1760-1877 Spotlight and Core Spotlight are different Comment on Sort order, collation and the Finder by eyelessjerry Comment on Apple has just released macOS 26.5.2 Tahoe by Derek Currie Great Ladies of Impressionism: Marie Bracquemond Comment on Get more from your Mac’s log by extending its duration by John Gilbert Comment on Keep your Mac cool using physics by F Portraits of trees: Coppices and pollards Comment on Firmware has become complicated again by John Woods Comment on Logistician 1.2 fixes a couple of bugs by info395288a4d1d Comment on What does Activity Monitor measure? by hoakley Last Week on My Mac: Spotlight on semantics An American in Paris: paintings of Henry Ossawa Tanner 1902-1930 An American in Paris: paintings of Henry Ossawa Tanner 1880-1902 Great Ladies of Impressionism: Berthe Morisot 1874-1891 What to do with a hot Mac Deprecations and removals from Golden Gate Brushstrokes: From El Greco to Rembrandt Portraits of trees: Dutch Golden Age How to get the most from SilentKnight 3 Comment on Hero or hooligan: Achilles becomes the warrior by Deborah J. Brasket Solutions to Saturday Mac riddles 365 Comment on SilentKnight 3.0 for Apple silicon Macs running Sequoia and later (full release) by michaelriccioli Comment on Last Week on My Mac: Uncompressed compressed files by fds Comment on Explainer: Memory by jzonedotcom Comment on Colin Campbell Cooper painting America: 1896-1910 by House of Heart Brushstrokes: 16th century What can you do when an app uses too much memory? SilentKnight 3 second beta adds text and JSON reporting In the shadow: Caravaggism What to do with your encrypted HFS+ disks First beta-test version of SilentKnight 3 for Apple silicon Macs Hero or hooligan: Jason and Medea Comment on Fix documents that won’t open as expected using Quarant2 by EcleX Last Week on My Mac: The mystery of Safari’s Web Archives Last Week on My Mac: Why is it so hard to open a document? Explainer: Disk encryption In the shadow: Caravaggio Brushstrokes: innovators of the first century Changing Paintings: 36 Theseus and the Minotaur macOS virtualisation is leaping forward in Golden Gate Why can’t Preview open that PDF? Crossing the Golden Gate, Intel support, and an update to SystHist Reading the Finder’s Get Info dialog In memoriam Mary Cassatt: 2, 1880-81 Last Week on My Mac: What’s in a name? Explainer: Getting a location Get more from Get Info and the Finder’s contextual menu Stop your photos revealing your location Have you saved thousands of versions? Versatility 1.2 might be what you need Apple has released an update to XProtect for all macOS Apple has released macOS Tahoe 26.5.1 Comment on What Location Services do in macOS by Tristan Hubsch Comment on Protect files with the Locked or Immutable flag by markbot2zero Portraits of trees: Introduction Which tasks require mains power? Comment on Online reference to external displays for Apple silicon Macs by Brian What’s in that phishing email? How to search document versions Rubens’ Peace and War Comment on Last Week on My Mac: Syncing metadata in iCloud Drive by hoakley A weekend with Misia: 2 How to search Time Machine backups? Medium and message: Pottery Hero or hooligan: Theseus and the sandals How QuickLook provides thumbnails and previews Hunting extended attributes with an update to xattred Saturday Mac riddles 360 Comment on How to preserve versions, and how to create versioned PDFs by markbot2zero Comment on What gets synced in iCloud Drive? by hoakley Solutions to Saturday Mac riddles 359 Last Week on My Mac: snapshots, the elephant in APFS How to check whether Spotlight is getting the right metadata macOS Tahoe no longer fully supports Time Capsules The bicentenary of Frederic Edwin Church: 1857-77 macOS virtual machines and audio-video syncing Comment on Use Finder tags for categories by Chuck Last Week on My Mac: Dependency and skill fade Comment on Virtualisation on Apple silicon Macs is different by AndyS Painting Pandora and her box: 1883-1919 Mac Easter eggs Painting Spring blossom 2 Comment on The macOS Natural Language framework and Nalaprop by Ingo Comment on The MACL extended attribute by hoakley On Reflection: Cézanne Privacy: Which folders are protected in Tahoe? Last Week on My Mac: Root cause analysis and ClickFix Last Week on My Mac: Root cause analysis and ClickFix Last Week on My Mac: Root cause analysis and ClickFix Why you can’t trust Privacy & Security How can I now have two apps named Pages? How to survive the loss of Rosetta Use Fallback Recovery on Apple silicon Macs Clean install macOS
Last Week on My Mac: Root cause analysis and ClickFix
2026-04-12 · via Comments for The Eclectic Light Company

One of the highlights of my work as a medical practitioner was introducing adverse incident reporting and root cause analysis. Even in the most communicative and affable workplace, it’s often hard to admit that something has gone wrong and discover why. The moment outsiders become involved, it all too easily turns into a bout of blamestorming, driving truth underground.

Once you have seen how root cause analysis can pay off in one situation, you want to apply it elsewhere. So please bear with me as I dig a little deeper into what have become slightly inappropriately known as ClickFix attacks, and have been all the rage for the last few months.

ClickFix attacks in macOS

ClickFix attacks first emerged in Windows in early 2024, but hadn’t been reported in macOS until early December last year, when Stuart Ashenbrenner and Jonathan Semon of Huntress published a detailed account. In macOS they typically consist of three steps:

  1. The victim is lured to a site that promises to fix a real or fictitious problem for them.
  2. The hostile site coaches them to copy an opaque script and paste it into Terminal or another app that can run that script.
  3. The script then downloads its malicious payload, normally a stealer, so bypassing macOS security, and proceeds to steal sensitive information from the user’s account on that Mac.

Those are illustrated by one of the early examples I stepped through in a locked-down virtual machine.

At the top of Google’s sponsored results is a solution from ChatGPT, giving its trusted web address. When I clicked on that, it took me to ChatGPT, where there’s a nice clear set of instructions, described impeccably just as you’d expect from AI. This coaches me how to open Terminal using Spotlight, very professional.

It then provides me with a command I can copy with a single click, and paste straight into Terminal. It even explains what that professes to do.

Once I have done that, scripts like .agent are installed in my Home folder, and my (virtual) Mac is now well and truly owned by its attacker.

At the end of January a variation emerged in sponsored search taking the unsuspecting to a malicious site disguised as a Medium.com blog post.

That started copying the contents of my Documents folder to “FileGrabber”, and wrote several hidden files to the top level of my Home folder, again in the safety of a locked-down VM.

Earlier this month, Jamf Threat Labs reported a similar attack abusing the applescript URL scheme to launch Script Editor and deliver another variant of the popular AMOS/SOMA stealer.

Countermeasures

In addition to Apple’s response in its weekly updates to XProtect’s detection rules, Patrick Wardle at Objective-See was quick to add a defence to his BlockBlock utility in mid-February, and Apple followed suit with an elaborate scheme added to macOS 26.4, released on 24 March. Although important, devising those defences is continuing the game of cat and mouse: no sooner are they in place than the attackers switch to a different ploy, as they have recently done by abusing a URL scheme and Script Editor. macOS offers a seemingly endless supply of mechanisms available for such abuse.

What has largely escaped attention is how bizarre user behaviour has become. Here’s a victim using a thoroughly GUI operating system copying what to them can only be incomprehensible gibberish and pasting it into Terminal, or running it in Script Editor. Why on earth would a user fall prey to that?

Prevention

Over the last few years many have grown accustomed to such strange habits as advice has drifted away from using GUI apps to relying on the command line. One factor has been the long decline in professionally written articles. For many years, my editor at MacFormat wouldn’t let me use Terminal commands in my Q&A pages unless there was no alternative. Almost all the dozens of books around me about Mac OS X rely primarily on what can be accomplished in the GUI, and are liberally illustrated with screenshots.

Over this period, tackling problems on Macs has moved from understanding how to use those GUI tools to blindly entering magic spells in Terminal, and now Script Editor. This trend has been promoted by search engines and most recently AI assistance, both of which are primarily text-based. Ask Google a Mac question, and the chances are you’ll be presented with commands to paste in, rather than a well-written account of how to solve it in the GUI.

Apple and third parties have invested in engineering solutions to problems that are fundamentally human and behavioural. Although it’s comforting to receive weekly updates to XProtect, and ingenious methods to detect potentially dangerous actions, no one has done anything about changing user behaviour. Apple seems reluctant to engage ordinary users beyond nudging them to keep macOS up to date, and no one is trying to save victims from their high risk behaviour.

This is also a common problem in healthcare, where we invest most of our resources in treatment, instead of preventing injury and disease. Although the clickfixers are unlikely to run out of victims, at least their crime could become less profitable.