PANews reported on May 11 that, according to Cryptopolitan, Microsoft's security research team discovered that attackers have been releasing fake macOS troubleshooting guides since the end of 2025, tricking users into running malicious terminal commands to steal encrypted wallets, iCloud data, and browser-saved passwords. These fake guides, published on platforms such as Medium, Craft, and Squarespace, target common user problems such as freeing up disk space or fixing system errors, inducing users to copy and paste malicious commands into the terminal. These commands automatically download and run malware.

This social engineering technique, known as ClickFix, bypasses macOS's Gatekeeper security mechanism because the victim actively executes commands. The malware families involved include AMOS, Macsync, and SHub Stealer, which can steal encrypted wallet keys from Exodus, Ledger, and Trezor, as well as usernames and passwords saved in Chrome and Firefox. In some cases, attackers also delete legitimate wallet applications and replace them with trojan versions. Apple has added protection against pasting potentially malicious commands in macOS 26.4.