ClickLock: The Mac Stealer That Won't Let You Work Until You Hand Over Your Password
A new macOS malware kills your apps in a loop every 210 milliseconds, holding your machine hostage until you type in your login password.

Key points
- ClickLock Stealer is a newly identified piece of malware for Apple Mac computers that harasses users into giving up their login password.
- The malware kills apps like Finder, the Dock, Spotlight and Terminal every 210 milliseconds (roughly five times a second) until the victim types the password.
- It arrives when a user pastes a hostile command into Terminal, usually after being tricked by a fake download page or support prompt.
- The stealer installs two LaunchAgents, small startup files macOS uses to auto-run programs, so it keeps running after every login.
- Once it has the password, it can unlock the Mac's Keychain and steal saved logins, browser cookies and crypto wallet data.
There is a new piece of Mac malware doing the rounds, and it has a nasty trick.
It is called ClickLock Stealer. Researchers describe it as an infostealer, meaning a program built to grab passwords, cookies and other secrets off your computer and send them to the criminals who wrote it.
What makes ClickLock stand out is what happens when you say no.
How does the attack actually work?
The victim usually ends up running the malware themselves, without realising it. That is the whole point.
Attackers plant a command on a fake website, a bogus "fix your Mac" page, or a phishing lure (phishing is when criminals send fake messages to trick you into doing something harmful). The page tells the user to copy a line of text and paste it into Terminal, the built-in macOS app that runs commands directly on the machine.
The moment that command runs, ClickLock is on the system.
It then pops up a dialog box that looks exactly like a normal macOS prompt asking for your password. Most people would type it in without a second thought.
If the victim cancels, the malware does not give up. It installs two LaunchAgents (small configuration files macOS uses to launch programs automatically) and quietly exits.
At the next login, the trap springs.
Why the 210 millisecond loop matters
Once the LaunchAgents kick in, ClickLock starts killing apps. Finder, the Dock, Spotlight, Terminal, Activity Monitor and other core tools get force-quit every 210 milliseconds, roughly five times per second.
The Mac becomes unusable. Windows vanish as soon as they open. You cannot even launch Activity Monitor to see what is going wrong, because it gets killed the instant it appears.
The fake password dialog keeps popping back up. The message is unmistakable: type the password or you cannot use your computer.
Most people, at that point, type the password.
That is the whole con. There is no clever exploit, no zero-day (a zero-day is a software flaw the vendor does not yet know about). The malware just makes the machine so annoying to use that the victim gives in.
What happens after the password is handed over?
With the login password, the malware can do serious damage.
On a Mac, the password unlocks the Keychain, which is where Safari, Mail and many apps store saved logins. It also gives access to browser data such as cookies, autofill entries and stored crypto wallet files. The stealer bundles this up and sends it to the attacker.
By the time the victim realises what happened, the criminals may already be inside their email, cloud storage or exchange accounts.
What Mac users should do
The practical advice is simple. Never paste a command into Terminal because a website told you to. Legitimate software does not need you to do that.
If your Mac suddenly starts killing its own apps in a loop, do not enter your password. Force a restart by holding the power button, then boot into safe mode (hold Shift at startup) and remove any unfamiliar files under ~/Library/LaunchAgents/.
Change your Apple account password and any passwords stored in Keychain from a different, clean device.
The Hacker News flagged the campaign this week. It is a good reminder that the weakest link in Mac security, as with every other platform, is still the person at the keyboard.



