Malware authors have already found ways to circumvent Apple's new Terminal paste warning introduced in macOS Tahoe 26.4. The security feature was designed to disrupt ClickFix attacks, which have become the leading delivery mechanism for malware on Mac systems. Just weeks after its release, researchers at Jamf Threat Labs discovered a new variant that entirely sidesteps the protection.

ClickFix isn't a malware family but a delivery technique that relies heavily on social engineering. It typically tricks users into pasting malicious commands into Terminal. The technique gained popularity in 2025 after Apple's macOS Sequoia made it harder to bypass Gatekeeper with fake DMG installers. ClickFix emerged as an attractive alternative because it's cheap, fast, and doesn't require signing certificates.

The new variant uses a fake Apple-themed webpage with an "Execute" button that launches Script Editor instead of Terminal. Since the command never touches Terminal, Apple's paste warning never triggers. While Script Editor does show an "unidentified developer" prompt, users who click through it can still execute the malicious script, which downloads and installs infostealers like Atomic Stealer. This demonstrates the ongoing cat-and-mouse game between Apple's security measures and malware authors.