How a macOS ClickFix Script Steals the Keychain and Every Browser Cookie: A PCAP Walk-Through
On 2026-04-22 a single Mac ran a ClickFix 'fix-it' command and handed over its login keychain and every browser cookie. This is a packet-level teardown of that capture: the curl-based task C2 on 45.94.47.204, the zsh stealer it pushed, the fake .com.apple.accountsd password stash, and the TLS exfil to mpasvw.com.