Kash Patel’s ‘BasedApparel’ Website Apparently Hosts ClickFix Malware

Researcher discovers Based Apparel site serving macOS ClickFix information stealer disguised as Cloudflare CAPTCHA control
Victims were tricked into pasting malicious Applescript commands into the terminal, with VirusTotal reporting the malware as a Trojan/information stealer.
The site, built on WordPress/WooCommerce and Ghost CMS, was taken offline after disclosure, linking the incident to wider exploitation of Ghost CMS in ongoing ClickFix campaigns.

Based Apparel, an American online clothing company selling patriotic, conservative and pro-free speech products, was apparently compromised and used to distribute malware via the ClickFix technique – but only macOS users were targeted.

A researcher using the pseudonym “Debbie” disclosed her findings to PC Magbefore sharing video evidence about

“The ClickFix attack came up when I was browsing it,” Debbie said in an email. “I had a quick look and it’s just a regular infostealer, wrapped twice in base64 (binary to text encoding). Interestingly, though, it’s written in Applescript.”

Links to Ghost CMS?

Victims were asked to verify that they were human, on a CAPTCHA page apparently from Cloudflare. This spoofed Cloudflare site will tell the victim that “unusual web traffic” has been detected and ask them to confirm that they are human by opening the terminal and pasting a shared command onto the page.

Run infostealer via VirusTotal, PC Mag found that it was flagged by 27 antivirus engines as a Trojan and information stealer, meaning it is common malware rather than a custom solution for targeted attacks.

Based Apparel has not yet commented, but its website is currently offline. At press time, the site displayed a “We’ll be right back” message saying the company was “making improvements.”

The website is apparently built using two content management systems: WordPress with WooCommerce for the store functionality and Ghost CMS for the separate news subdomain.

Earlier today, we reported that a critical severity vulnerability in Ghost CMS, patched in February 2026, was also exploited against more than 700 domains to launch ClickFix attacks.