ClickFix Malware Bypasses New Apple Terminal Warnings

Malware authors have developed a way to bypass Apple's new Terminal paste-warning by delivering malicious payloads through the Script Editor ^[1].

This development is significant because it demonstrates how quickly attackers can pivot when security vendors implement new safeguards. By shifting the attack vector from the Terminal to the Script Editor, hackers can continue to infect macOS systems despite Apple's efforts to alert users of dangerous commands.

Apple introduced the Terminal paste-warning in macOS version 13.4, also referred to as Tahoe 26.4 ^[1]. This security feature was designed to block ClickFix-style attacks by warning users before they paste potentially harmful commands into the Terminal application ^[3]. The update was released in April 2026 ^[4].

Researchers at Jamf discovered that the new variant of the malware avoids the Terminal paste prompt entirely ^[2]. Instead, the attackers direct users to the Script Editor to execute the one-click script ^[2]. This maneuver effectively sidesteps the specific warning mechanism Apple built to protect the Terminal environment ^[2].

ClickFix attacks typically trick users into pasting commands that appear to fix a technical issue but actually install malware ^[3]. The shift to Script Editor allows the malware to achieve the same result, executing malicious code on the target machine, without triggering the OS-level alert ^[2].

Security experts said that the ability to execute scripts through alternative system tools highlights a persistent gap in macOS security. While the Terminal warning addresses one specific entry point, the Script Editor remains a viable path for delivering the same payloads ^[2].