⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

osascript

osascript is the macOS command-line utility to run AppleScript or JavaScript for Automation (JXA). In ClickFix-style attacks, fake CAPTCHA pages instruct users to paste clipboard commands into Terminal, which decode and run AppleScripts through osascript, delivering malware such as Odyssey Stealer.

mac cli CLI Credential Theft Data Exfiltration

Alternative Verification – Odyssey Stealer

Try Example
CLI Credential Theft Data Exfiltration

Victims are presented with a fake CAPTCHA. When it fails, the site instructs them to copy a command for "system verification." This command decodes and runs an AppleScript via osascript.

  1. Press Cmd-Space to open Spotlight

  2. Type Terminal and press Enter

  3. Press Cmd-V to paste the verification command

  4. Press Enter to execute

References:

Mitigations:

  • Block or alert on osascript execution with base64-decoded payloads

  • Educate users on risks of pasting commands into Terminal

  • Monitor for osascript accessing sensitive data (Keychain, browsers)

Contributor: Michael Haag (2025-09-09)