Over the years, Jamf Threat Labs developed a broad library of indicators for statically detecting malware, alongside behavioral detections that flag suspicious actions at runtime. This two-pronged approach has proven highly effective at catching infostealers in the wild. Through one of these behavioral detections, we identified a ClickFix-style attack — one that stood out immediately because it ditched the typical Terminal-based execution entry point entirely. Instead, this malware leveraged macOS Script Editor as the execution vector while maintaining a familiar final payload. Script Editor has a well-documented history as a malware delivery mechanism, so its presence here isn't surprising. What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.