A scam that can trick Window users into installing malware has also been expanding to try and ensnare macOS owners. But Apple has rolled out a new protection in MacOS 26.4 that can thwart the threat.
The attack method is called “ClickFix,” which involves tricking the user into executing some technical instructions that promise to fix the PC, but will actually install malware. ClickFix can pop up disguised as a fake “Verify You’re Human” test or as a blue screen Windows update, which can dupe less-tech savvy users into following the displayed on-screen instructions.
Victims think they’re simply typing some innocuous commands on their keyboard, but in reality they’re copying and pasting a malicious instruction, asking their Windows PC to execute it through the dialog box. If you’re on a Mac, don’t assume you’re free from the threat. On Wednesday, Microsoft became the latest company to warn about macOS-focused ClickFix attacks, which have also been popping up since at least last year.
The macOS attacks focus on tricking users to open Terminal, a built-in utility that can execute programs. Microsoft’s report found several websites that pretend to offer guidance for freeing up macOS storage or reclaiming Mac disk space. But the instructions on the sites are really designed to trick visitors into copying and pasting a command into the Terminal utility, and then running it, leading to a malware infection.
In addition, Microsoft noted: “Threat actors were also publishing fake troubleshooting posts on the popular blogging site Medium to distribute ClickFix instructions. These posts claim to solve common macOS problems.” Victims can end up infected with malware capable of spying on the machine and stealing data across their programs, including their iCloud Keychains. The user’s cryptocurrency wallet apps can also be replaced with attacker-controlled ones.
The whole scheme essentially preys on non-technical users, when many might assume macOS can’t get viruses. The same tactic can also bypass macOS’s built-in defenses since the Mac owner is being tricked to deliberately install the rogue program onto the machine.
The good news is that Apple in March released a new safeguard in MacOS 26.4 that can protect users from such ClickFix attacks. Apple’s software will now warn users about pasting commands into Terminal, calling it out as a potential malware threat.
This Tweet is currently unavailable. It might be loading or has been removed.
Although Terminal is also a helpful tool for power users to conveniently customize their Macs, Apple says it designed the safeguard specifically to protect novice users from being tricked to run ClickFix-style attacks. As a result, the Terminal warnings won’t appear during the first 24 hours a user sets up a new Mac. The OS will also trigger the warnings less frequently if it determines the Mac owner is likely a software developer by checking for popular software tools that’ve already been installed.
On top of all this, Apple says the warnings will definitely pop up if a command that’s been pasted in Terminal is known to be malicious.
Microsoft’s report noted that Apple’ s safeguard “directly addresses the ClickFix delivery mechanism” that the company discovered. If a user attempts to paste the malicious command into Terminal, a warning will pop-up reading “Possible malware, Paste blocked.” MacOS’s built-in antivirus XProtect has also been updated to protect users from the malware that the attacks try to install.
The Microsoft-discovered sites that were found hosting the macOS ClickFix attacks appear to have been taken down. But it wouldn’t be hard for the hackers to clone and adapt new ones, so users should be on guard. Last month, the security vendor Jamf discovered a similar attack, but it sidesteps Terminal by abusing Apple’s Script Editor app to trick users into installing malware.
As for Windows, Microsoft has been using the built-in Defender antivirus to prevent malware threats. Defender’s SmartScreen Filter can also warn you about phishing pages, but only on the Edge browser. It also doesn’t catch every threat, as our own testing found.
About Our Expert
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
-
Hack Shuts Down Canvas, an Online System Used By Thousands of Schools
-
Valve to Restart Steam Controller Orders on Friday With a Reservation System
-
xAI Becomes SpaceXAI As Elon Musk’s Company Files for Trademarks
-
DJI Urges Customers to Speak Up, Tell the FCC to Stop the Drone Ban
-
AST SpaceMobile Eyes June Launch of Three BlueBirds After Satellite Loss
-
More from Michael Kan
