An apparel site from FBI director Kash Patel has been spotted trying to trick macOS users into installing malware.
The site, BasedApparel.com, is part of a merchandise brand that Patel co-created with Andrew Ollis prior to becoming FBI director under the Trump administration. On Thursday, a user based in Portugal spotted the online shop hosting a “ClickFix”-style attack that tries to dupe unsuspecting users into running a malicious command on their Mac computers.
The attack seems to work as the user visits BasedApparel.com; a victim will encounter the site showing a page pretending to come from Cloudflare, which powers “Verify you are human” CAPTCHA tests and offers DDoS protection.
The fake Cloudflare page will show a warning saying “Unusual Web Traffic Detected,” while also requiring the user to verify that they’re human. But to do so, the page posts some unusual instructions that call for the user to open Terminal, a built-in utility in macOS that can execute programs.
(PCMag)
The user is then told to click the “Copy” button on the page to copy the command “I am not a robot: Cloudflare Verification ID: 801470.” But in reality, clicking the button will actually copy a much longer obfuscated text that looks like gibberish, although it’s actually a hidden command.
The actual copied command when you click the copy button. (PCMag)
The user is then told to paste and run the command in Terminal, thus executing the instructions without realizing the danger. The hidden command will decode, and fetch a shell script containing a list of commands from the hacker-controlled web domain.
PCMag encountered the attack while navigating BasedApparel.com on a MacBook, although we were only able to trigger the fake Cloudflare page once over the Chrome browser.
This Tweet is currently unavailable. It might be loading or has been removed.
The user on X who flagged the threat, “debbie,” told PCMag she encountered the attack after reading an article in The Atlantic about Patel that linked to the Based Apparel site. “The ClickFix attack just kinda popped up when I was browsing it,” Debbie said in an email. “I took a quick look and it’s just a classic infostealer, wrapped twice in base64 (binary-to-text encoding). It’s interesting that it’s written in Applescript though.”
debbie, who described herself as a “big nerd,” managed to retrieve the malicious shell script payload, which we ran through VirusTotal. The payload was flagged by 27 antivirus engines as malicious, classifying it as Trojan and infostealer. The attack seems to work by spanning various instructions that if run through macOS’s Terminal utility could steal stored credentials from Chromium-based browsers along with data from cryptocurrency wallets, placing them into a zip archive then sent to a hacker-controlled domain.
The attack suggests a hacker compromised some portion of BasedApparel.com when the ClickFix threat has remained pervasive in recent years, fooling less tech-savvy users. Security researchers have warned that the hackers behind ClickFix schemes have been circulating their attacks by stealing the login credentials for legitimate websites, tampering with exposed admin panels, or hitting vulnerable plugins.
Based Apparel didn’t immediately respond to a request for comment. But the attack is a reminder to be vigilant around pop-ups and other scareware tactics. Apple recently introduced a safeguard in macOS Tahoe 26.4 that can stop and warn users against running copied-and-pasted commands into the Terminal utility, citing the potential of malware.
About Our Expert
Michael Kan
Principal Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
