🟠 High  |  Source: The Hacker News


ClickLock is a newly discovered macOS infostealer that coerces victims into handing over their login password by repeatedly killing core system applications every 210 milliseconds until they comply. It is delivered via a Terminal command — likely through social engineering — and persists across reboots using macOS LaunchAgents, even if the victim initially refuses the fake system password prompt. The technique is notable for its aggressive, user-harassment-based approach to credential theft rather than silent exploitation.

Security Architect’s Take: Enforce Endpoint Detection and Response (EDR) tooling on all macOS endpoints with rules to flag LaunchAgent creation by non-standard processes and Terminal-based execution of downloaded payloads. Review your macOS fleet’s exposure to social engineering via developer portals, AI coding assistants, or third-party onboarding scripts, and consider restricting Terminal access for non-technical staff via MDM policy.

Original advisory: New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password