What New macOS stealer campaign uses Script Editor in ClickFix at Means for BGC Businesses

A BGC-based accounting firm nearly had its credentials stolen last week — not through phishing, but through a fake browser fix that asked a staff member to open Script Editor and paste in a command.

If your team uses Macs, this one is worth two minutes of your time.

What This Attack Actually Does to Your Mac

The attack is called ClickFix. Your employee sees a fake error page — convincing enough to look like Chrome or a document viewer — and gets instructed to "fix" it by running a script.

Previously, ClickFix dropped users into Terminal. This newer variant uses macOS Script Editor, which feels more legitimate and bypasses the instinct to distrust a black command-line window.

Once executed, Atomic Stealer silently harvests saved passwords, crypto wallets, and browser session data — everything a BGC finance or BPO team keeps on a work Mac.

Four Things to Do Before Your Next Team Meeting

Your IT policy probably covers phishing email. It likely says nothing about fake browser error pages that ask users to run scripts.

• Block Script Editor access for non-developer staff via MDM
• Train your team to screenshot, not click, any "fix this error" prompt
• Enable macOS Gatekeeper and confirm it hasn't been silently disabled
• Audit which Macs store browser-saved passwords for finance systems
• Review and rotate credentials for any cloud tools accessed from company Macs

What Catching This Early Actually Saves You

Credential theft doesn't announce itself. You find out weeks later when an account is drained or a client flags suspicious access.

Locking this down now costs your team roughly thirty minutes. Recovering from a breach costs weeks.

If you want a proper security review for your BGC or SBMA office, see what WNS5.tech covers on our services page.