← BACK TO FEED
malwareClickFixmacOSinfosecurityKash Patel

FBI Director's Merch Site Is Serving Malware to macOS Users

FBI Director Kash Patel's merchandise website, BasedApparel.com, was found hosting a "ClickFix" malware attack that tricks macOS users into running a malicious command by disguising it as a Cloudflare human-verification process. Victims are prompted to copy what appears to be a simple verification code, but the clipboard actually receives a hidden obfuscated command that, when run in Terminal, executes a script designed to steal browser credentials and cryptocurrency wallet data. The attack likely resulted from hackers compromising the site, and the malicious payload was flagged by 27 antivirus engines as a Trojan/infostealer.

BasedApparel.com, a clothing brand co-founded by FBI director Kash Patel before he took the role under the Trump administration, has been caught hosting a ClickFix malware attack targeting Mac users. The discovery was made by a Portugal-based user who spotted the site running a fake Cloudflare verification page designed to trick visitors into executing malicious code on their own machines.

The attack follows a well-worn ClickFix playbook. When triggered, the site presents what looks like a standard Cloudflare CAPTCHA prompt, complete with a warning about "Unusual Web Traffic Detected." To prove you're human, you're asked to open Terminal, paste in a command, and run it. Simple enough, except the command you think you're copying and the one that actually lands on your clipboard are very different things.

The visible text reads something like "I am not a robot: Cloudflare Verification ID: 801470." What actually gets copied is a wall of obfuscated gibberish that, when executed in Terminal, decodes and phones home to a hacker-controlled domain to pull down a shell script. That script then gets to work.

The researcher who flagged it on X, going by "debbie," told PCMag she stumbled across the site after following a link in a piece by The Atlantic. She managed to extract the malicious payload and submitted it to VirusTotal, where 27 antivirus engines flagged it as a trojan and infostealer. The script is written in AppleScript, which is a slightly unusual choice, and appears to target saved credentials from Chromium-based browsers as well as cryptocurrency wallet data. It bundles whatever it finds into a zip archive and ships it off.

PCMag independently confirmed the attack, encountering the fake Cloudflare page during their own visit to the site via Chrome on a MacBook, though they could only reproduce it once.

The most likely explanation is that someone compromised part of the BasedApparel.com infrastructure, probably by stealing admin credentials or exploiting a vulnerable plugin. ClickFix attacks have been spreading this way for a while now, hitching rides on legitimate sites to avoid arousing suspicion.

Based Apparel had not responded to requests for comment at the time of writing. The timing is at least awkward, given that its co-founder now runs the FBI.

If there's a silver lining, Apple has added a safeguard in macOS Tahoe 26.4 that intercepts copied commands before they can be pasted and run in Terminal, flagging the potential risk. For everyone still on older versions, the usual advice applies: if a website is asking you to open Terminal, close the tab.