PCMag reported on May 21 that BasedApparel.com, the merchandise site co-created by FBI Director Kash Patel, was serving a fake Cloudflare CAPTCHA page designed to trick visitors into pasting a malicious command into Terminal. The payload, flagged by 27 of VirusTotal’s 73 engines, was an AppleScript infostealer targeting Chromium browser credentials and cryptocurrency wallet data. The irony writes itself: the bureau that has publicly warned about ClickFix attacks had its own branded storefront turned into a waterhole for the technique. But the incident matters beyond the headline, because it illustrates a supply-chain problem that every brand-site operator running a stock e-commerce stack now faces.
What Happened
PCMag encountered the attack while navigating BasedApparel.com on a MacBook and could trigger the fake CAPTCHA page once over Chrome before it stopped appearing, suggesting the compromise was either intermittent or partially remediated by the time of testing. The site, co-founded by Patel and Andrew Ollis, sells branded merchandise under the “Based” label. Patel has served as FBI Director since February 2025 after a confirmation process that drew attention to his political affiliations and his side business ventures.
The fake CAPTCHA prompted the visitor to copy and paste a command into macOS Terminal. The pasted command, obfuscated via base64, executed an AppleScript payload that harvested stored credentials from Chromium-based browsers and crypto wallet data, then exfiltrated the loot as a zip archive to a domain controlled by the attacker. Twenty-seven of VirusTotal’s scanners flagged the payload as a trojan or infostealer.
How ClickFix Works
ClickFix is a social-engineering technique first identified in October 2023. The attack chain is straightforward but effective: compromised JavaScript on a legitimate site silently replaces the visitor’s clipboard contents with a base64-obfuscated command, then displays a fake CAPTCHA or verification prompt instructing the user to paste into Win+R (on Windows) or Terminal (on macOS). Microsoft’s analysis of the technique describes the clipboard replacement step as the core mechanism. The browser sees only a standard paste event, which is not anomalous. Detection responsibility shifts entirely to the OS layer.
The technique bypasses browser-level security boundaries by design. Content Security Policy, Same-Origin Policy, and sandboxed iframe restrictions all govern what code can execute inside the browser. A user voluntarily pasting into a terminal window is none of those things. The social-engineering wrapper, a fake Cloudflare “Verify you are human” prompt, is visually plausible enough that the average visitor has no reason to question it.
On Windows, the paste target is the Run dialog (Win+R). On macOS, it is Terminal. An April 2026 variant bypassed Apple’s Terminal warning entirely by using the applescript:// URI scheme for one-click execution without opening Terminal at all.
Why This Site Matters
BasedApparel.com was not targeted because Patel is the FBI Director. Security researchers note that ClickFix operators typically gain access to legitimate sites by stealing admin credentials, exploiting exposed admin panels, or leveraging vulnerable plugins in stock CMS platforms. The attacker likely had no idea whose site they had compromised, or didn’t care. A DTC merch store on a standard e-commerce stack is low-hanging fruit regardless of who owns it.
The incident is structurally useful for security practitioners for two reasons:
Waterhole economics. Any site with real traffic and a stock backend is a candidate. The operator doesn’t need to phish specific targets; they compromise a site that the targets already visit. A politically branded merch store with media visibility simply generates more press coverage when it gets caught.
Policy ammunition. Every proposed mitigation for clipboard-based attacks (Defender ASR rules restricting Win+R execution, RunMRU registry monitoring, macOS Terminal paste warnings) needs a concrete incident to justify the deployment cost and user friction. The FBI director’s own merch store being the exemplar is the kind of anecdote that moves policy in a way that abstract risk assessments do not.
The ClickFix Threat in 2026
ClickFix surged 517% in the first half of 2025 according to vendor telemetry, making it the second most common attack vector after phishing at roughly 8% of blocked attacks. Those numbers come from security vendor reporting, not independent measurement, and should be read with the usual caveats about vendor-marketed threat statistics.
The technique has been adopted by nation-state groups including Russia’s APT28, North Korea’s Kimsuky, and Iran’s MuddyWater, used to deliver malware families such as Lumma Stealer, DarkGate, NetSupport RAT, and AsyncRAT. Commercial ClickFix builders are available on underground forums, lowering the barrier to entry beyond state-level operators.
The attack surface is also evolving. In March 2026, Atos researchers documented a variant that used net use to map a WebDAV drive and execute a trojanized Electron app (a spoofed WorkFlowy installer) with a C2 beacon hidden inside an ASAR archive. That variant bypassed Microsoft Defender for Endpoint entirely. The technique is not standing still, and the defensive catalog keeps chasing the latest delivery mechanism rather than addressing the structural gap.
The Detection Gap
The core problem is architectural. Browser security models assume that the threat is code executing inside the browser sandbox. ClickFix moves the execution outside the sandbox by convincing the user to do it manually. No browser security boundary is violated because no browser security boundary is involved.
This leaves three detection surfaces:
- Clipboard monitoring. Detecting that clipboard contents have been replaced with obfuscated shell commands. This is technically feasible but raises privacy concerns and produces false positives on legitimate clipboard use by developers and admins.
- OS-level paste-warnings. Apple added a Terminal warning in macOS Tahoe 26.4 (March 2026) that prompts the user before executing pasted commands. This is the most user-friendly mitigation but depends on the user reading and heeding the warning.
- Endpoint detection and response. ASR rules in Microsoft Defender can restrict execution from the Run dialog, and RunMRU registry keys can be monitored for anomalous entries. Both add operational overhead and can break legitimate workflows.
The April 2026 applescript:// variant demonstrates the limitation of OS-level warnings: if the execution path doesn’t go through Terminal, the Terminal warning never fires. Defensive layers that target a specific execution path rather than the clipboard-replacement mechanism itself will continue to lag behind variants that shift the delivery vector.
What’s Still Missing
No public statement from BasedApparel.com or the FBI regarding the compromise has been reported as of May 24. The site’s underlying CMS platform and the specific vector used to inject the malicious JavaScript have not been disclosed. Without that information, the supply-chain lesson remains general: stock e-commerce platforms with exposed admin interfaces or outdated plugins are targets of opportunity, and the operators compromising them are indifferent to who owns the site.
The broader gap is that no mainstream browser has shipped a control that detects or warns about clipboard replacement by JavaScript. The entire defensive model relies on the OS layer to catch what the browser allowed to happen. Until that changes, ClickFix will continue to work against any site whose backend an attacker can reach.
Frequently Asked Questions
How does ClickFix differ from a drive-by download attack?
Drive-by downloads exploit unpatched browser or plugin vulnerabilities to silently install malware with no user interaction. ClickFix requires no software vulnerability at all—only a user willing to follow pasting instructions. Browser hardening over the past decade (sandboxing, auto-updates, deprecating NPAPI plugins) has made drive-bys significantly harder, which is precisely why social-engineering vectors like ClickFix that move execution outside the browser sandbox have surged as a successor technique.
What should a site owner do if they discover ClickFix injection on their site?
Rotate all admin credentials immediately, audit every installed CMS plugin for known CVEs, and scan hosted JavaScript files for base64-encoded strings or calls to the Clipboard API and document.execCommand. ClickFix operators gain initial access through stolen credentials, exposed admin panels, or vulnerable plugins—so removing the injected script without closing the access vector typically results in reinfection within days.
Are Linux or mobile users affected by ClickFix campaigns?
Documented campaigns design their fake CAPTCHA prompts for Windows (Win+R) and macOS (Terminal or applescript:// URI) workflows. Linux users could theoretically be tricked into pasting a shell command into a terminal, but no major campaign has targeted Linux-specific execution paths. Mobile platforms are not meaningfully targeted because neither Android nor iOS exposes a run-dialog or terminal interface that casual users would paste commands into.
What would a browser-level defense against clipboard replacement look like?
A browser control would need to monitor JavaScript clipboard-write calls for content matching shell-command patterns—base64 blobs, long obfuscated strings, or known payload signatures—and warn or block the replacement. The technical gap today is that Chrome’s Permissions-Policy for the Clipboard API governs whether a site can read the clipboard, not what it can write to it, leaving the write path entirely unmonitored. The tradeoff is real: developers routinely copy terminal commands and code snippets from web pages, so any aggressive clipboard filtering risks high false-positive rates against power-user workflows.