Latest ClickFix news

Bogus AI downloads tricked macOS users into pasting Terminal commands that dropped the MacSync infostealer. Sophos tracked 50,000+ clicks in days. A parallel InstallFix variant hits developers because curl | sh is a legitimate pattern.

A five-year ransomware affiliate that cycled through Ryuk, Conti, BlackCat, and RansomHub now uses ClickFix to stage Termite ransomware intrusions via CastleRAT. MalBeacon tracked 12 days of hands-on-keyboard activity in a U.S. environment.

Sponsored Google results for "Claude Code install" lead to pixel-perfect clones of Anthropic's documentation that deliver Amatera Stealer. Push Security found at least 17 fake domains. Both macOS and Windows are targeted.

A fake CleanMyMac website tricks macOS users into running a Terminal command that installs SHub Stealer — an infostealer targeting 14 browsers and 102 crypto extensions. Worse, it silently backdoors Exodus, Ledger, Atomic, and Trezor wallets to harvest seed phrases …