Cybercriminals have developed a new method to bypass macOS security protections, pivoting away from traditional Terminal-based attacks to exploit the built-in Script Editor. According to research from Jamf Threat Labs, this evolution in the “ClickFix” campaign is specifically designed to deliver the Atomic Stealer malware, which is used to exfiltrate sensitive user data.
A Shift in Execution Strategy
For some time, ClickFix attacks on macOS relied on tricking users into copying and pasting malicious commands directly into the Terminal. Still, with the release of macOS 26.4, Apple introduced security measures that scan pasted commands before they can be executed, effectively blocking that specific vector. To circumvent these updated protections, attackers have now turned to Script Editor—a native macOS application used for automating tasks via AppleScript and JavaScript.
The new attack sequence leverages a URL scheme to trigger the opening of Script Editor. Once the application is active, the malware is deployed, often using deceptive prompts such as fake disk storage warnings to lure victims into executing the malicious code. This shift highlights the ongoing cat-and-mouse game between OS security updates and the creative methods hackers leverage to maintain entry points into user systems.
The Role of Atomic Stealer
The ultimate goal of this campaign is the installation of Atomic Stealer. As an infostealer, this malware is engineered to hunt for and steal private information from the infected device. Researchers noted that the use of Script Editor as a delivery mechanism is not entirely unprecedented, as the tool has a well-documented history of being abused by malware actors.
By abusing a legitimate system tool to bypass security warnings, these attacks underscore the critical importance of user vigilance and the continuous need for evolving endpoint security in the macOS ecosystem.
