A malware campaign targeting macOS has evolved from a Terminal-based execution point to exploiting Script Editor, as researchers at Jamf Threat Labs identify in their blog post. Identified as Atomic Stealer (AMOS) and described as an infostealer and backdoor, the campaign now uses a ClickFix attack to prompt users with a browser window claiming to be from Apple, guiding them to paste malicious commands into Script Editor.
According to Jamf Threat Labs, this shift aims to bypass Apple’s security warnings that previously appeared in Terminal after the macOS 26.4 update, which warned users about potentially malicious pastes. The researchers note that the attacker preserves a familiar delivery mechanism while changing where the command runs, a small adjustment with a meaningful impact, and Thijs Xhaflaire of Jamf Threat Labs is quoted describing the shift in delivery as significant.
The campaign’s lure often involves a full window in the user’s browser with advice on reclaiming disk space on a Mac, and ClickFix remains a popular vector for distributing malware and phishing attacks.