{"id":51529,"date":"2026-04-09T17:11:52","date_gmt":"2026-04-09T21:11:52","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=51529"},"modified":"2026-04-09T17:11:52","modified_gmt":"2026-04-09T21:11:52","slug":"clickfix-now-uses-script-editor-instead-of-terminal","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2026\/04\/09\/clickfix-now-uses-script-editor-instead-of-terminal\/","title":{"rendered":"ClickFix Now Uses Script Editor Instead of Terminal"},"content":{"rendered":"<p><a href=\"https:\/\/www.jamf.com\/blog\/clickfix-macos-script-editor-atomic-stealer\/\">Thijs Xhaflaire<\/a> (via <a href=\"https:\/\/appleinsider.com\/articles\/26\/04\/08\/mac-script-editor-becomes-new-entry-point-for-clickfix-malware\">Andrew Orr<\/a>):<\/p>\n<blockquote cite=\"https:\/\/www.jamf.com\/blog\/clickfix-macos-script-editor-atomic-stealer\/\">\n<p>Unlike traditional ClickFix campaigns that instruct users to paste commands directly into Terminal, the discovered variant uses a browser-triggered workflow to launch Script Editor.<\/p>\n<p>[&#8230;]<\/p>\n<ul><li>The page leverages an applescript:\/\/ URL scheme<\/li> <li>Clicking the &ldquo;Execute&rdquo; button invokes this URL scheme from the browser<\/li> <li>The browser prompts the user to allow Script Editor to open<\/li> <li>Once opened, a pre-filled script is presented for execution<\/li><\/ul>\n<p>[&#8230;]<\/p>\n<p>This payload uses base64 encoding combined with gzip compression to obscure its contents before execution.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2026\/04\/03\/macos-26-4-paste-protection\/\">macOS 26.4 Paste Protection<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Thijs Xhaflaire (via Andrew Orr): Unlike traditional ClickFix campaigns that instruct users to paste commands directly into Terminal, the discovered variant uses a browser-triggered workflow to launch Script Editor. [&#8230;] The page leverages an applescript:\/\/ URL scheme Clicking the &ldquo;Execute&rdquo; button invokes this URL scheme from the browser The browser prompts the user to allow [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2026-04-09T21:11:55Z","apple_news_api_id":"c02ad876-d0a4-44b3-8263-ab65108cefe5","apple_news_api_modified_at":"2026-04-09T21:11:56Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AwCrYdtCkRLOCY6tlEIzv5Q","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[159,30,2742,504,48,489,96],"class_list":["post-51529","post","type-post","status-publish","format-standard","hentry","category-technology","tag-applescript","tag-mac","tag-macos-tahoe-26","tag-malware","tag-security","tag-url","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=51529"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51529\/revisions"}],"predecessor-version":[{"id":51530,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/51529\/revisions\/51530"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=51529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=51529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=51529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}