Kash Patel's 'BasedApparel' website is apparently hosting ClickFix malware

News
By published

The malware apparently only targets macOS users

Based Apparel
(Image credit: Future)
  • Researcher finds Based Apparel site serving a macOS ClickFix infostealer disguised as a Cloudflare CAPTCHA check
  • Victims were tricked into pasting malicious Applescript commands in Terminal, with VirusTotal flagging the malware as a commodity Trojan/infostealer
  • The site, built on WordPress/WooCommerce and Ghost CMS, was taken offline after disclosure, linking the incident to broader Ghost CMS exploitation in ongoing ClickFix campaigns

Based Apparel, an American online clothing company selling patriotic, conservative, and pro–free speech-themed merchandise, was seemingly compromised and used to serve malware through the ClickFix technique - but only macOS users were targeted.

A researcher with the alias ‘debbie’ disclosed her findings to PC Mag, before sharing video proof on X, after saying she read online about Based Apparel being co-founded by FBI Director Kash Patel and decided to take a closer look.

“The ClickFix attack just kinda popped up when I was browsing it,” Debbie said in an email. “I took a quick look and it's just a classic infostealer, wrapped twice in base64 (binary-to-text encoding). It's interesting that it's written in Applescript though.”

Latest Videos From

The victims were asked to verify they were human, on a CAPTCHA page seemingly coming from Cloudflare. This spoofed Cloudflare site will tell the victim that “unusual web traffic” was detected, and will ask the victim to confirm they’re human by opening the Terminal and paste a command shared on the page.

Running the infostealer through VirusTotal, PC Mag found it was flagged by 27 antivirus engines as a Trojan and infostealer, meaning it’s commodity malware rather than a custom-built solution for targeted attacks.

Based Apparel is yet to comment, but its website is offline for the time being. At press time, the site showed a “We’ll be right back” message that stated the company is “making improvements”.

The website is seemingly built using two content management systems - WordPress with WooCommerce for the store functionality, and Ghost CMS for the separate news subdomain.

Earlier today, we reported that a critical-severity vulnerability in Ghost CMS, patched in February 2026, was also being abused against more than 700 domains to launch ClickFix attacks.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.