Gizmodo Hit by ClickFix Malware Attack Targeting Windows and macOS Users
A security incident on Gizmodo briefly exposed visitors to the ClickFix malware over the weekend, with Windows users facing a more severe threat than macOS users. The attack, first reported by readers on Saturday, displayed fake CAPTCHA prompts on article pages, tricking users into executing malicious code via their terminals.
Researchers at Proofpoint attributed the campaign to an affiliate of ErrTraffic, a ClickFix-as-a-service operation that allows attackers to deploy custom malware. The Windows variant attempted to install NetSupport RAT, a remote access trojan that abuses the legitimate NetSupport Manager tool to infiltrate systems. According to Darktrace, NetSupport RAT can exfiltrate files, deploy additional malware, and even deliver ransomware.
The macOS version, while configured with a payload, appeared non-functional, requiring a password to open a ZIP archive effectively neutralizing the threat.
Gizmodo confirmed the breach, stating that a compromised account was exploited to inject the malicious script. The site was taken offline briefly, the script removed, and the account secured. User reports spanned only a few hours, suggesting the attack was short-lived. By Monday, The Register verified that the malicious prompts were no longer active.
Gizmodo.com cybersecurity rating report: https://www.rankiteo.com/company/gizmodo-usa
"id": "GIZ1782132066",
"linkid": "gizmodo-usa",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Visitors (number not specified)',
'industry': 'Technology Journalism',
'name': 'Gizmodo',
'type': 'Media/News Website'}],
'attack_vector': 'Compromised account (malicious script injection)',
'data_breach': {'data_exfiltration': 'Potential (via NetSupport RAT)',
'personally_identifiable_information': 'Potential risk (via '
'NetSupport RAT)'},
'date_detected': 'Saturday (specific date not provided)',
'date_resolved': 'Monday (specific date not provided)',
'description': 'A security incident on Gizmodo briefly exposed visitors to '
'the ClickFix malware over the weekend, with Windows users '
'facing a more severe threat than macOS users. The attack '
'displayed fake CAPTCHA prompts on article pages, tricking '
'users into executing malicious code via their terminals. The '
'Windows variant attempted to install NetSupport RAT, while '
'the macOS version appeared non-functional.',
'impact': {'downtime': 'Brief (site taken offline)',
'identity_theft_risk': 'Potential (via NetSupport RAT)',
'operational_impact': 'Site temporarily taken offline, malicious '
'script removed',
'systems_affected': 'Gizmodo website, visitor terminals (Windows '
'and macOS)'},
'initial_access_broker': {'entry_point': 'Compromised Gizmodo account'},
'investigation_status': 'Resolved',
'post_incident_analysis': {'corrective_actions': 'Account security '
'reinforcement, malicious '
'script removal',
'root_causes': 'Compromised account exploited to '
'inject malicious script'},
'ransomware': {'data_exfiltration': 'Potential (via NetSupport RAT)'},
'references': [{'source': 'Proofpoint'},
{'source': 'Darktrace'},
{'source': 'The Register'}],
'response': {'containment_measures': 'Site taken offline, malicious script '
'removed, compromised account secured',
'recovery_measures': 'Site restored, verification of no active '
'threats',
'remediation_measures': 'Malicious script removal, account '
'security reinforcement',
'third_party_assistance': 'Proofpoint, Darktrace (researchers)'},
'threat_actor': 'ErrTraffic affiliate (ClickFix-as-a-service)',
'title': 'Gizmodo Hit by ClickFix Malware Attack Targeting Windows and macOS '
'Users',
'type': 'Malware Attack',
'vulnerability_exploited': 'Fake CAPTCHA prompts, social engineering'}