Apple counters ClickFix attacks with macOS Terminal warning

Apple has added a new security feature in macOS Tahoe 26.4 that warns users before they enter commands in Terminal that could cause harm. The goal is to stop ClickFix attacks, a social engineering trick that gets users to run malicious commands themselves.

According to ESET, ClickFix activity jumped by more than 500% in the first half of 2025, making it the second-most common attack vector after phishing.

The ClickFix tactic takes its name from fake “Fix It” prompts used to lure victims. When trying to read a webpage or document, or join a call, they see alerts claiming something isn’t working and needs fixing.

The steps direct them to copy and run a command, often a PowerShell script, which downloads malware without going through standard browser checks. Variants present the same flow as human verification or a security update.

Originally used against Windows devices, the tactic has since been adapted to target macOS.

The warning was reported by users on Reddit and X over the past week, as Apple has not published an official support document about the feature.

“Possible malware, paste blocked. Your Mac has not been harmed. Scammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy. These instructions are commonly offered via websites, chat agents, apps, files, or a phone call,” the warning message says.

It is still unclear which commands trigger the warning, since some users report it does not flag everything copied from the internet into Terminal.