AMOS operators have bypassed Apple’s macOS Tahoe 26.4 ClickFix mitigation by abusing the applescript:// URL scheme to deliver credential-stealing malware via Script Editor, targeting Keychain credentials, browser-stored passwords, session cookies, and cryptocurrency wallet extensions across all macOS versions. No Apple patch addressing the applescript:// bypass vector is confirmed available as of 2026-03-04, making behavioral controls and MDM-enforced URL scheme restrictions the primary mitigation path. Immediate actions: restrict or disable the applescript:// URL handler via MDM Configuration Profile, audit macOS fleet EDR telemetry for Script Editor processes spawned by browser parent processes, enforce password rotation and session cookie invalidation on any host where Script Editor was triggered unexpectedly.