Jamf Threat Labs has discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload — bypassing Terminal entirely.
Unlike traditional ClickFix campaigns that instruct users to paste commands directly into Terminal, the discovered variant uses a browser-triggered workflow to launch Script Editor. Users are presented with a Apple-themed webpage claiming to help “reclaim disk space on your Mac.” The page provides step-by-step instructions that appear consistent with legitimate system maintenance guidance. When the user clicks the provided “Execute” button, the page triggers the next stage of the workflow.
The folks at Jamf Threat Labs say they continue to monitor this activity and track related infrastructure and variants. In the Jamf Protect console, customers can configure Threat Prevention, Advanced Threat Controls and Web Protection to Block and Report to help prevent the execution of similar threats. You can read the complete report here.
I hope you’ll help support Apple World Today by becoming a patron. Almost all our income is from Patreon support and sponsored posts. Patreon pricing ranges from $2 to $10 a month. Thanks in advance for your support.
