- Researcher finds Based Apparel site serving a macOS ClickFix infostealer disguised as a Cloudflare CAPTCHA check
- Victims were tricked into pasting malicious Applescript commands in Terminal, with VirusTotal flagging the malware as a commodity Trojan/infostealer
- The site, built on WordPress/WooCommerce and Ghost CMS, was taken offline after disclosure, linking the incident to broader Ghost CMS exploitation in ongoing ClickFix campaigns
Based Apparel, an American online clothing company selling patriotic, conservative, and pro–free speech-themed merchandise, was seemingly compromised and used to serve malware through the ClickFix technique – but only macOS users were targeted.
A researcher with the alias ‘debbie’ disclosed her findings to PC Mag, before sharing video proof on X, after saying she read online about Based Apparel being co-founded by FBI Director Kash Patel and decided to take a closer look.
“The ClickFix attack just kinda popped up when I was browsing it,” Debbie said in an email. “I took a quick look and it’s just a classic infostealer, wrapped twice in base64 (binary-to-text encoding). It’s interesting that it’s written in Applescript though.”
Links to Ghost CMS?
The victims were asked to verify they were human, on a CAPTCHA page seemingly coming from Cloudflare. This spoofed Cloudflare site will tell the victim that “unusual web traffic” was detected, and will ask the victim to confirm they’re human by opening the Terminal and paste a command shared on the page.
Running the infostealer through VirusTotal, PC Mag found it was flagged by 27 antivirus engines as a Trojan and infostealer, meaning it’s commodity malware rather than a custom-built solution for targeted attacks.
Based Apparel is yet to comment, but its website is offline for the time being. At press time, the site showed a “We’ll be right back” message that stated the company is “making improvements”.
The website is seemingly built using two content management systems – WordPress with WooCommerce for the store functionality, and Ghost CMS for the separate news subdomain.
Earlier today, we reported that a critical-severity vulnerability in Ghost CMS, patched in February 2026, was also being abused against more than 700 domains to launch ClickFix attacks.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
