Opera's new Paste Protect tries to stop the copy-paste scam that's been draining wallets

The browser will now block dodgy commands before they reach your clipboard, targeting the ClickFix trick that has become criminals' favourite way to trick people into infecting their own computers.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a laptop screen showing a generic web browser with a red warning icon in the address bar and a blurred popup dialog, dim
Share

Key points

  • Opera has switched on Paste Protect by default in its latest browser release to block a scam known as ClickFix.
  • ClickFix tricks people into copying a hidden command from a website and running it themselves, which installs malware.
  • The feature works on Windows, macOS and Linux, and shows a red warning in the address bar when it blocks something.
  • Apple recently added a similar check to its Terminal app, showing how common the attack has become.
  • Users can allow-list trusted sites like GitHub if they copy code for legitimate reasons.

Opera has rolled out a feature called Paste Protect that tries to shut down one of the most effective scams doing the rounds this year. It's aimed at ClickFix — a trick where a website tells you there's a problem with your browser, or asks you to prove you're human, and helpfully offers a command to "fix" it.

You copy the command. You paste it into your computer's command line — the black text box where power users type instructions. You hit enter. And you've just installed malware on yourself.

That's the whole con. In practice, the command usually pulls down an info-stealer, meaning software that scrapes saved passwords, browser cookies and crypto wallets off your machine and sends them to the attackers.

The reason it works is that the victim types the final keystroke. Every antivirus and endpoint tool on the box sees a user running a legitimate shell command, because that's exactly what happened.

How is Opera actually stopping this?

Paste Protect inspects what's about to land on your clipboard and blocks it if it looks like a script or shell command. First reported by BleepingComputer, the feature sits on top of an older tool called Hijack Protection that Opera shipped in 2021 to stop websites silently swapping a copied bank account number for the attacker's.

The new bit is called Injection Protection. It scans copied text against patterns the browser associates with malicious commands, and it does this per operating system — so the rules for a Windows PowerShell one-liner are different from a macOS Terminal command.

When something trips the filter, the copy is cancelled, a popup appears, and a red icon shows up in the address bar. You get to see the first 120 characters of whatever was blocked. If you genuinely want it, you can approve the copy after a five-second delay.

Developers who paste snippets from GitHub all day can add trusted sites to an allow-list so they aren't nagged constantly.

Should ordinary users care?

Yes, and here's why: ClickFix has quietly become one of the most productive social engineering plays of the last eighteen months. Fake CAPTCHA pages — those "prove you're not a robot" boxes — are the most common wrapper, but the technique also turns up disguised as Zoom errors, Word document repair prompts and browser update nags.

Apple thought the problem serious enough that recent versions of macOS now flag risky pastes into Terminal before they run.

The failure mode here is a human one. No patch fixes it, because nothing is technically broken — the operating system is doing exactly what you told it to. A browser-level speed bump is a reasonable stopgap.

One thing worth saying plainly: if a website ever asks you to open a command prompt, PowerShell, or the Terminal and paste something in, close the tab. There is no legitimate reason a normal website needs you to do that. None.

Paste Protect is on by default in the latest Opera build and can be toggled at Settings → Privacy & Security → Paste Protect. Chrome, Edge and Firefox users don't get it, and there's no sign yet that they will.

Operational takeaway: assume your users will paste whatever a convincing popup tells them to, and build detection around the shell, not the browser.

© 2026 Threat Vectr