- Researcher finds Based Apparel site serving a macOS ClickFix infostealer disguised as a Cloudflare CAPTCHA check
- Victims were tricked into entering malicious Applescript commands into Terminal, with VirusTotal flagging the malware as a commodity trojan/infostealer
- The site, built on WordPress/WooCommerce and Ghost CMS, was taken offline after publication, linking the incident to wider Ghost CMS exploitation in ongoing ClickFix campaigns
Based Apparel, an American online clothing company that sells patriotic, conservative and pro-free speech themed products, was apparently compromised and used to serve malware through the ClickFix technique – but only macOS users were targeted.
A researcher with the alias ‘debbie’ revealed his findings to PC Magbefore sharing video evidence of X, after saying she read online about Based Apparel, co-founded by FBI Director Kash Patel, and decided to take a closer look.
“The ClickFix attack just kind of popped up when I was browsing,” Debbie said in an email. “I took a quick look and it’s just a classic infostealer, packed twice in base64 (binary-to-text encoding). Interestingly, though, it’s written in Applescript.”
Links to Ghost CMS?
Victims were asked to confirm they were human on a CAPTCHA page that appeared to come from Cloudflare. This spoofed Cloudflare page will tell the victim that “unusual web traffic” was detected and will ask the victim to confirm they are human by opening the terminal and entering a command shared on the page.
Running the infostealer through VirusTotal, PC Mag found that it was flagged by 27 antivirus engines as a trojan and infostealer, meaning it is commodity malware rather than a custom-built solution for targeted attacks.
Based Apparel has yet to comment, but its website is currently offline. At press time, the site displayed a “We’ll be right back” message saying the company is “making improvements.”
The website is apparently built using two content management systems – WordPress with WooCommerce for the store functionality and Ghost CMS for the separate news subdomain.
Earlier today, we reported that a critical vulnerability in Ghost CMS, patched in February 2026, was also exploited against more than 700 domains to launch ClickFix attacks.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
