Atomic Stealer (AMOS) operators have bypassed Apple’s recent ClickFix defense in macOS Tahoe 26.4 by exploiting the built-in applescript:// URL scheme to deliver credential-stealing malware via Script Editor rather than Terminal. Organizations with macOS fleets are at risk of credential theft across Keychain, browsers, and cryptocurrency wallets, regardless of whether the Tahoe 26.4 patch is applied. The business risk is significant: stolen credentials and session cookies can enable account takeover, financial fraud, and lateral movement across enterprise environments.