ClickFix is a sophisticated social engineering technique first observed in the wild in 2024 that tricks users into manually pasting malicious commands into their Terminal.
Threat actors lure victims through fake CAPTCHA tests, counterfeit error messages, or fraudulent software installers, instructing them to copy a text string and paste it directly into the macOS Terminal.
Because the user manually initiates the action, the operating system treats the command as authorized, bypassing standard security filters entirely.
Once executed, these commands typically download and install malware such as the MacSync infostealer, harvesting sensitive data including Keychain credentials, browser cookies, and cryptocurrency wallet details, often running entirely in memory to evade detection.
ClickFix was reportedly responsible for more than half of all malware loader activity in 2025.
When a user copies a potentially dangerous command from Safari and attempts to paste it into Terminal, macOS Tahoe 26.4 now delays execution and displays a prominent warning dialog.
The alert reads: “Possible malware, Paste blocked. Your Mac has not been harmed. Scammers often encourage pasting text into Terminal to try to harm your Mac or compromise your privacy.
These instructions are commonly offered via websites, chat agents, apps, files, or a phone call.
Users are presented with a primary “Don’t Paste” button to abort the action, alongside a secondary “Paste Anyway” option for legitimate administrative tasks.
The protection targets the core mechanism of pastejacking: the near-instant paste-and-execute sequence that attackers depend on, especially since commands with a trailing newline execute immediately without pressing Return.
By inserting a mandatory confirmation step at the moment of paste, Apple interrupts this attack chain before any harm occurs.
Notably, Apple did not mention this Terminal safeguard in the official macOS Tahoe 26.4 release notes, which focused on developer tool updates and SwiftUI fixes.
The feature was independently discovered by the security community after the release candidate build became available.
According to user testing, the warning appears only once per Terminal session rather than on every paste, preventing disruption for experienced developers.
By adding this layer of friction, Apple aims to shield less technical users from inadvertently compromising their own systems, while still allowing advanced users to proceed with legitimate commands through the “Paste Anyway” option.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Apple’s macOS Tahoe Introduces Protection Against ClickFix Attacks appeared first on Cyber Security News.
Google has officially moved its ransomware detection and file restoration features for Google Drive into…
A new remote access trojan known as ResokerRAT has come to light, using Telegram’s bot…
Anthropic’s proprietary Claude Code CLI tool has had its full TypeScript source code inadvertently exposed…
A high-severity security flaw has been disclosed in Smart Slider 3, one of the most…
A new and dangerous phishing toolkit has entered the cybercrime scene. In early 2026, a…
According to a criminal complaint, investigators learned new information from a 911 call Oninski made…
This website uses cookies.