A CAPTCHA is supposed to prove that a person, rather than an automated bot, is using a website. ClickFix attacks turn that familiar moment into a trap. The page tells you that verification failed, your browser is broken, or a security check needs one extra step. Then it asks you to copy a command, open a system tool, paste, and press Enter.
That instruction can install an infostealer or remote-access tool on Windows or macOS without exploiting a software bug. The attacker exploits the user's trust instead. Once code runs in your account, it may search for browser passwords, session cookies, cryptocurrency wallets, cloud credentials, developer keys, private documents, or whatever else the current user can reach.
Quick answer
Yes. A fake CAPTCHA can lead to malware that steals passwords and other account access from a Mac or PC. A legitimate CAPTCHA will never require you to open Terminal, PowerShell, the Windows Run dialog, AppleScript, or another command tool. If a page tells you to copy and run a command, close it. If you already ran the command, treat the device as untrusted and start recovery from a known-clean device.
What ClickFix actually does
ClickFix is a social-engineering technique, not one specific malware family. The lure changes, but the core chain is consistent:
- A phishing message, malicious advertisement, compromised site, fake download, or deceptive extension leads you to a controlled page.
- The page displays a fake CAPTCHA, browser error, update warning, or repair prompt.
- The page places an obfuscated command on the clipboard or tells you what to copy.
- You are instructed to open a trusted operating-system utility and paste the command.
- The command downloads or launches attacker-controlled code, often using tools already installed on the device.
This last step matters. Security software is good at blocking suspicious executables, but ClickFix asks the victim to run a command through a legitimate shell or utility. Microsoft has documented campaigns using PowerShell and other Windows components, plus macOS campaigns that use Terminal, AppleScript, fake DMG installers, and familiar software brands.
Why the command may look harmless
The visible command may be long, encoded, or padded with text so the dangerous part is hard to inspect. It may claim to clear a cache, repair a browser profile, install a font, update a certificate, or complete human verification. Some variants deliberately cause a browser problem first, then present the command as the fix.
In Microsoft's 2026 CrashFix analysis, a malicious browser extension created browser disruption and then displayed a fake repair warning. That sequence is persuasive because the victim experiences a real problem immediately before seeing the proposed solution. The browser failure is not proof that the command is legitimate; it may be part of the attack.
What an infostealer looks for
Modern infostealers do not stop at saved passwords. Depending on the malware and operating system, the collection target can include:
- Browser cookies and active session tokens that may bypass a password prompt.
- Saved browser passwords and autofill data.
- Files in Downloads, Desktop, Documents, and cloud-sync folders.
- Cryptocurrency wallets, seed phrases, and browser wallet extensions.
- Cloud credentials, API tokens, SSH keys, and developer configuration files.
- Clipboard contents, screenshots, or information exposed in open applications.
- Account-recovery notes, backup codes, and plaintext password exports.
That is why changing one password is not a complete response. If an attacker stole a session cookie, the old session may still work after the password changes. If the device remains infected, the new password may be stolen as soon as you enter it.
Can a password manager stop ClickFix?
A password manager helps, but it is not an endpoint security product. Domain-matched autofill can reduce the chance of typing a password into a lookalike site, and an encrypted vault can protect stored data while it is locked. Those controls do not make malware safe after it is running with your user permissions.
If the vault is unlocked, if a credential is copied to the clipboard, or if malware can observe what you type and open, some information may be exposed. A local-first design reduces the value of attacking a vendor's central server, but an infected personal device is a different threat model. Local-first does not mean malware-proof.
Warning signs that should end the session
- A CAPTCHA asks you to press Windows+R, open PowerShell, or launch Terminal.
- A site tells you to paste a command that you did not write and cannot explain.
- A browser repair message appears immediately after installing an extension.
- A download arrives through a sponsored search result or an unfamiliar lookalike domain.
- A page asks you to disable antivirus, Gatekeeper, SmartScreen, or other protection.
- An installer claims that security settings must be bypassed because the developer is new or unsigned.
Closing a page is always safer than following an unexpected command. Navigate to the vendor's known official site from a bookmark or vault record if you still need the software.
What to do if you ran the command
- Disconnect the affected device. Turn off Wi-Fi or unplug the network connection. Do not use that device to change passwords.
- Use a known-clean device. Start with email, the device-platform account, financial accounts, phone carrier, cloud storage, and your password manager.
- Revoke sessions and connected apps. Look for "sign out everywhere," browser-session lists, app passwords, OAuth grants, and unfamiliar devices.
- Rotate credentials in priority order. Change unique passwords and replace recovery codes or API keys that may have been exposed.
- Get qualified cleanup help. Run current security tooling and consider a clean reinstall when the infection scope is uncertain.
- Review financial and recovery changes. Check forwarding rules, recovery email, phone number, MFA methods, payment details, and account alerts.
Do not restore every old download and browser extension automatically after cleanup. Reintroducing the malicious installer, extension, or script can restart the incident.
Krypt's answer: reduce exposure, then organize recovery
Krypt is a zero-knowledge password manager and local-first encrypted vault. Keeping credentials, recovery codes, private files, and account notes in a dedicated vault reduces the number of browser folders, cloud notes, screenshots, and plaintext exports an infostealer can casually sweep up.
Krypt does not claim to protect an unlocked vault on a compromised device. Its role is to keep private source-of-truth records encrypted when the vault is locked and to give you a structured place to recover afterward. From a clean device, your account records can help you identify known-good URLs, prioritize high-value logins, review weak or reused passwords, and find the recovery codes or security-key notes needed to regain control.
Build a ClickFix-resistant vault record
For important accounts, keep these details together:
- The canonical login URL, saved before an incident.
- A unique password or fallback credential.
- The MFA method and any registered hardware keys or passkeys.
- Recovery codes and the date they were generated.
- The official support URL and verified phone number.
- A short incident note recording session revocation and credential-rotation dates.
The goal is not to make one app invulnerable. It is to avoid scattering your recovery material across the same browser and filesystem locations attackers search first.
FAQ
Can a real CAPTCHA ask me to run a command?
No. A legitimate human-verification widget may ask you to select images, click a checkbox, solve a puzzle, or authenticate through a known service. It does not need a shell command. Opening Terminal, PowerShell, Windows Run, or AppleScript is a hard stop.
Does a password manager protect me after ClickFix malware runs?
Not completely. Encryption protects a locked vault, but malware operating in your session may still target browsers, clipboard contents, files, sessions, and anything you expose after unlocking. Clean the device before using new credentials on it.
Is changing my password enough?
No. Revoke active sessions, review connected apps, replace recovery codes, check MFA and recovery settings, and rotate high-value credentials from a clean device. Session tokens and other secrets may remain useful even after a password reset.
Technical references
Microsoft's 2026 report on cross-platform infostealers documents ClickFix-style prompts, malicious DMG installers, and credential theft on macOS. Its CrashFix analysis explains how browser disruption is used to coerce victims into running a command. The joint CISA, FBI, HHS, and MS-ISAC Interlock advisory documents fake CAPTCHA instructions that lead users to paste and execute malicious PowerShell.
Use Krypt to keep known-good login URLs, unique passwords, recovery codes, and incident notes in one local-first encrypted vault.