“14 browsers, 16 cryptocurrency wallets, and more than 200 extensions” — those figures, blunt and unsettling, summarize what a recent report says a ClickFix campaign has already swept up from macOS users.
ClickFix campaign targeting macOS users
The campaign is described as a ClickFix operation aimed specifically at macOS users. According to the account, the actors behind ClickFix are deploying a tailored supply of malicious code that targets Apple’s desktop environment. The report frames the activity not as a single opportunistic exploit but as a deliberate effort to deliver a particular kind of theft tool to Apple platform endpoints.
AppleScript-based infostealer at the core
At the technical center of the campaign is an AppleScript-based infostealer. The delivery method is notable for its use of AppleScript — a native automation and scripting language available on macOS — to harvest data from infected machines. The use of AppleScript distinguishes this campaign by leveraging a platform-specific scripting capability rather than relying solely on cross-platform malware families.
Data stolen: credentials and live session cookies
The malware’s stated targets are credentials and live session cookies. Those two categories are central to the report’s portrayal of the operation: credentials can unlock accounts directly, while live session cookies may allow attackers to assume active sessions without needing passwords. The account emphasizes both kinds of data as being collected by the AppleScript stealer deployed in the ClickFix campaign.
Browsers targeted: 14 named in the report
The story specifies that the infostealer collects data from 14 browsers. While the brief account does not list each browser by name, the number alone underlines the breadth of the campaign’s browser-side focus. Browsers are a high-value target for credential and session-theft operations because they often store logins, session tokens, and extension data — all of which the report indicates are of interest to the ClickFix operators.
Cryptocurrency wallets targeted: 16 listed
Cryptocurrency wallets are also in the attackers’ crosshairs. The report states the AppleScript stealer is collecting data from 16 cryptocurrency wallets. That explicit count highlights the campaign’s attention to digital-asset interfaces and suggests a motive that reaches beyond account takeover for web services alone. The presence of wallets among the enumerated targets is a central element of the campaign’s profile as described in the account.
Extensions impacted: more than 200 hoovered up
Beyond browsers and wallets, the campaign is said to have exfiltrated data related to more than 200 extensions. Extensions can mediate access to web services, alter browser behavior, and hold sensitive tokens or settings. The report’s quantified claim — “more than 200 extensions” — conveys both scale and specificity, indicating that the attackers are harvesting artefacts spread across many user-installed components.
Why these numbers matter to macOS users
The combination of an AppleScript stealer with stated collection goals — credentials, live session cookies, browser data, wallets, and extensions — creates a compound risk profile that the brief account makes plain through its numbers. Fourteen browsers, sixteen wallets, and over two hundred extensions: those figures add up to a wide attack surface on infected machines. The report’s emphasis on counts, not just categories, signals that this is a campaign engineered for breadth as well as depth.
For readers parsing that profile, the salient point is categorical: the ClickFix campaign is not limited to a narrow slice of user data. Instead, it reaches into the mechanisms users rely on to authenticate, to remain logged in, and to manage digital assets. The deployment of an AppleScript-based tool means the operation is tailored to the macOS environment and focused on harvesting exactly the items the report lists.
The story leaves unanswered questions about attribution, specific browser and wallet names, delivery vectors, and the scale of successful exfiltration in terms of affected users. What the account does provide — and what should not be overlooked — are the hard counts that define the campaign’s stated ambitions: 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.
Those numbers are the clearest, most concrete indicators supplied. They frame the ClickFix campaign as a systematic effort to reach across commonly used products and user-installed components on macOS systems. Whether the attackers’ goals are financial, reconnaissance-driven, or a blend of motives, the report’s enumerations point to a programmatic approach rather than a one-off grab.
For investigators, defenders, and users, the practical takeaways the account supplies are straightforward: the campaign uses AppleScript to gather credentials and live session cookies, and it targets a substantial roster of browsers, wallets, and extensions. Beyond that, the report leaves the community to fill in technical particulars and operational context.
