Risky Bulletin: Apple adds ClickFix warning to macOS terminal - Risky Bulletin

Summary

Risky Bulletin: Apple Adds ClickFix Warning to macOS Terminal
Podcast: Risky Bulletin (Risky Business Media)
Date: March 30, 2026
Host: Claire Aird
Episode Theme:
A rapid-fire roundup of the week's most significant global cybersecurity news, with a primary focus on new security measures by Apple, major hacks, regulatory moves, crypto crime, and ongoing cyber threats targeting both private individuals and public infrastructure.

Main Theme Overview

This episode centers on Apple’s new security warning aimed at combatting “ClickFix” attacks on macOS terminal users. Other headlines include: the hacking of high-profile email accounts, shutdowns in the crypto world, large-scale European cyberattacks, a dramatic supply chain breach, and new legislative measures in response to AI deepfakes.

Key Discussion Points & Insights

1. Apple Adds ClickFix Warning to macOS Terminal

[00:05] Apple’s newest update introduces a warning whenever users copy-paste commands from a browser to the macOS terminal.

The “ClickFix” technique, first noted in 2024, manipulates users into running hidden malicious commands—originally on Windows, now prevalent on macOS.

Significance: This is Apple’s direct response to the growing trend of social engineering attacks delivered via command-line instructions.

Quote:
[00:07] Claire Aird: “Users will see an alert anytime they copy paste commands from a browser into the terminal window. The click fix technique became popular in 2024.”

2. Major Hacks and Data Breaches

FBI Director Kash Patel’s Personal Email Hacked
- [00:14] The Iranian-linked “Handala” hacking group breached and leaked emails from Patel’s Gmail.
- The group is previously tied to Iran’s intelligence service (MOIS).
European Commission Hacked
- [00:19] "Shiny Hunters" claim a 350GB data theft from the European Commission’s AWS environment.
- Data taken: Email dumps, contracts, databases, internal documents.
- A separate January hack targeted the EC’s mobile device management server.
Breach Forums Hacked (Again)
- [00:47] “Shiny Hunters” strike the criminal hacking forum shortly after a relaunch, exposing 340,000 users’ registrations and messages.
- The group threatens future attacks on “fake” versions of the forum.

3. Crypto & DeFi Developments

Balancer DeFi Platform Shutdown
- [00:29] After a $110 million breach and mounting legal risk, Balancer shuts down operations but will maintain its token.
Crypto Theft via Domestic Espionage
- [00:56] In the UK, Tu Ping Faiyuan accuses his estranged wife of using a security camera to capture his crypto wallet password, stealing $176 million. Audio evidence presented in court; funds remain unmoved.

4. Vulnerability Exploitation & Ransomware

Citrix NetScaler Exploited Post-Patch
- [00:36] Attackers are targeting a freshly patched Citrix bug to leak memory data, referencing previous “Citrix Bleed” attacks.
Care Cloud Healthcare Provider Breach
- [00:41] Hackers infiltrated one of Care Cloud’s EHR platforms, ejected after eight hours.
Jackson County Sheriff’s Dept Ransomware
- [01:07] Department operations crippled: WiFi, reports, computers offline due to ransomware via email.

5. Software Supply Chain Attacks

API Fox Compromised
- [01:17] Malicious code sneaked into JavaScript files on API Fox’s CDN, enabling credential theft and a hidden backdoor.
Telnix Python Library Backdoored
- [01:22] Team PCP hacked the official SDK, part of a campaign targeting thousands via open source supply chains.

6. AI and Regulatory News

EU Proposes Ban on ‘Nudify’ Deepfake Apps
- [01:31] New AI Act amendment would outlaw apps producing explicit deepfakes without consent, prompted by several public scandals.
EU Lawmakers Traveling to China Warned
- [01:38] Security teams require lawmakers to use burner devices amid hacking fears during upcoming Beijing visit.

7. Geopolitics and Cyber Command Directives

NSA/Cyber Command Orders More Intelligence Sharing
- [01:47] Incoming chief General Josh Rudd mandates tighter collaboration with allies and a focus on Chinese and Russian threat actors.
Russian and Iranian APT Activity Updates
- [01:56 & 02:14]
  - A second Russian APT is using an iOS attack framework (“Dark Sword”) in phishing campaigns targeting Lithuanian victims (FSB-linked).
  - U.S. State Department offers $10M rewards for intelligence on Iranian hacking groups.

8. Disinformation Campaigns Targeting LNG Supplies

[02:24] Social media campaigns falsely warn Taiwanese audiences about LNG depletion from Iran conflict (Chinese-linked accounts).
[02:47] Similar operations target Australia (Iranian source).

9. Active Threats — F5 BIG-IP Vulnerability

[02:56] F5 device vulnerability—initially misclassified as only DoS—now exploited for remote code execution.
CISA orders federal agency patching by Monday.

Notable Quotes & Memorable Moments

On ClickFix Expansion:
- [00:07] “It initially targeted Windows, but expanded to macOS last year.” — Claire Aird
On Breach Forums Hacks:
- [00:49] “It said it will hack and leak any future versions it deems fake.” — Claire Aird describing Shiny Hunters
On the UK Crypto Case:
- [01:00] “Ping presented the court with an audio recording of his wife planning the hack with her sister.” — Claire Aird
On European AI Law:
- [01:34] “The law would cover any app that creates sexualised deepfakes without consent.” — Claire Aird

Timestamps for Important Segments

Apple ClickFix warning: 00:04–00:13
Kash Patel Gmail Hack: 00:14–00:19
European Commission Hack: 00:19–00:28
Balancer DeFi Shutdown: 00:29–00:35
Citrix NetScaler Exploitation: 00:36–00:41
Care Cloud EHR breach: 00:41–00:47
Breach Forums breach: 00:47–00:56
UK Crypto Theft Case: 00:56–01:07
Jackson Co. Ransomware: 01:07–01:17
API Fox JavaScript Backdoor: 01:17–01:22
Python/Telnix Supply Chain Attack: 01:22–01:31
EU Deepfake Ban: 01:31–01:38
EU Lawmakers China Security: 01:38–01:47
NSA/Cyber Command Orders: 01:47–01:56
Russian APT with Dark Sword: 01:56–02:14
US Rewards for Iranian Hackers: 02:14–02:24
Taiwan/Australia Disinfo Campaigns: 02:24–02:56
F5 BIG-IP Vulnerability: 02:56–End

Summary:
A packed risk update, this episode highlights Apple’s increased attention to terminal-based user security, a wave of strategic hacks from Iran and Russia, disturbing crypto heists, persistent software supply chain threats, and new Europe-wide AI regulations. Notable moments include the exposure of criminal forums, high-profile email hacks, and the continuing convergence of politics, law, and cybersecurity risk on a global scale.

Transcript

A (0:04)

Apple adds a click fix warning to macOS Hendala hacks Kash Patel's personal email balancer crypto platform shuts down after last year's hack and the EU proposes a ban on AI nudify apps. This is the risky bulletin prepared by Catalyn Kimparnu and read by me, Claire aird. Today is the 30th of March and this podcast episode is brought to you by. Knock Knock. In today's top story, Apple has added a warning about click fix attacks to macOS. Users will see an alert anytime they copy paste commands from a browser into the terminal window. The click fix technique became popular in 2024. It relies on tricking users into running malicious commands. It initially targeted Windows, but expanded to macOS last year. In other news Iranian hackers have breached FBI Director Kash Patel's personal Gmail account. The Handala hacking group has credit and leaked some of Patel's emails. The FBI confirmed the breach on Friday. Previous reports have linked the Handala group to Iran's intelligence service, the mois. The European Commission is investigating a hack of its website and cloud infrastructure. The Shiny Hunters hacking group claims to have stolen more than 350 gigabytes of data from the commission's AWS environment. The group says stolen material includes email server dumps, databases, Internet internal documents and contracts. The commission also suffered a separate hack in January. That incident was via its Avanti mobile device management server. The Balancer Defi platform has shut down months after hackers stole $110 million. The company cited increased legal liability after the hack in November last year. The company will continue operating its token threat Actors are launching attacks against a recently patched vulnerability in Citrix NetScaler devices. Watch our Labs spotted exploitation in honeypots last week, days after the patch was made available. The vulnerability allows attackers to leak data from memory, similar to the earlier Citrix Bleed attacks. Citrix has yet to confirm the activity. Hackers have breached US Health record provider Care Cloud. The incident earlier this month impacted one of the company's six electronic health record platforms. The company says it evicted the attackers eight hours after they gained access. The fifth incarnation of Breach Forums has been hacked just days after its launch. The Shiny Hunters group has leaked registration data and private messages of more than 340,000 users. The group was involved in earlier iterations of the site. It said it will hack and leak any future versions it deems fake. A UK man has accused his estranged wife of stealing $176 million worth of crypto assets. 2 Ping Faiyuan claims his wife used a security camera to record his crypto wallet password. She then emptied his wallet. Ping presented the court with an audio recording of his wife planning the hack with her sister. The funds have not moved since being stolen. A ransomware attack has crippled the Jackson County Sheriff's Department in Indiana. The attack took down the WI Fi network, the police report filing system and all of the department's computers. The incident occurred last week and has been traced back to a malicious file received via email. The department website was still down on Monday. Hackers have inserted malicious code into the desktop client of Chinese Web Dev Service API Fox. The attackers compromised JavaScript files hosted on the app's CDN. According to security firm Slowmist. The code stole users credentials and left a backdoor hacking group Team PCP has backdoored the Python library of a voice AI provider. The hack against Telnix impacted the company's official SDK on the PI PI portal Team PCP has breached thousands of organisations this month in an ongoing supply chain attack. Europe has proposed an amendment to its AI act that would ban nudify apps. The law would cover any app that creates sexualised deepfakes without consent. Earlier this year, Xai's Grok generated explicit images of women and children, leading to public demand for regulation. EU lawmakers have been instructed to leave their phones at home when travelling to China next month. The commission's security team cited concerns over possible hacking attempts. Lawmakers will receive burner phones and laptops for the Beijing visit. NSA and Cyber Command's new chief has told staff to increase intelligence sharing with allies. General Josh Rudd has also instructed staff to keep a close eye on China and Russia in Even though the White House has prioritised the southern border, the directives were part of General Rudd's first NSA all hands meeting. A second Russian APT group has started using The Dark Sword iOS hacking framework. Spear phishing emails lured Lithuanian victims to sites hosting the exploit kit. Proofpoint says it's linked the emails to the Russian FSB intelligence service. Darksword was previously spotted being used by a unit from Russia's military intelligence service, the GRU. The US State Department is offering rewards of up to $10 million for information on Iranian hacking groups. It's seeking information on groups acting in support of Iran, such as Handali Haq and Parjan Afsar Rayan Borna. The department is interested in group members names and locations. A social media disinformation campaign is telling Taiwanese audiences that the Iran conflict would deplete the country's LNG reserves. The campaign was traced back to a cluster of accounts based in China. Taiwan's minister of economic affairs said the claims were untrue. A similar campaign also targeted Australian audiences. That one was linked to an Iranian news agency. And finally, threat actors are hacking corporate networks via a vulnerability in F5 big IP devices. The attacks exploit a remote code execution bug that was patched as denial of service in October last year. On Friday, CISA warned federal agencies about the attack and ordered them to install patches by the end of Monday. And that is all for this podcast edition. Today's show was brought to you by Knock Knock. Find them at Knock Knock. That's knocknoc IO. Thanks for your company.