SearchJack Chrome Extensions Hit 758K Users as macOS ClickFix Spreads RAT

A cluster of 23 deceptive Chrome browser extensions has been uncovered routing user searches through monetization middleware before delivering results, exposing roughly 758,000 affected users across at least eight distinct affiliate brokers. Discovered by researcher Jean-Marie R., the campaign — dubbed SearchJack — packages each extension with a legitimate-seeming facade, including satellite imagery, productivity tools, news readers, and maps, while the real business is search affiliate revenue. The threat extends beyond adware: operators control web traffic end-to-end, meaning they can inject phishing links or push malicious downloads without ever updating the extension code itself. Anyone concerned about covert browser hijacking should run a browser fingerprint test and a privacy checkup to verify what their browser is actually exposing.

On the macOS front, a Russian-speaking threat actor has been running a fileless ClickFix campaign against technology, media, and business services organizations across Asia, North America, and Oceania. Victims are lured through fake verification pages that trick them into executing AppleScript payloads, which drop an infostealer and remote access trojan directly in memory — leaving almost no forensic footprint on disk. The ClickFix technique continues to be one of the most effective social engineering plays of 2026 because it bypasses the need to deliver a traditional executable and instead weaponizes the user's own terminal.

Microsoft, meanwhile, has made DNS-over-HTTPS generally available on Windows Server 2025, enabling encrypted client-to-resolver DNS traffic inside existing on-premises infrastructure. DoH on Windows DNS Server uses TLS to encrypt queries transported as HTTPS requests, preserves compatibility with legacy DNS deployments, and supports mixed environments. For administrators, the rollout advances Zero Trust DNS posture without requiring a new resolver architecture. Teams should validate their configurations with a DNS leak test to confirm queries are actually tunneling through the encrypted channel rather than falling back to plaintext.

Rounding out the week's bulletin: NastyC2 npm packages were flagged for delivering command-and-control infrastructure through the JavaScript supply chain, device-code phishing campaigns continued targeting enterprise SSO users, and multiple stealer and loader families were observed in active distribution. The pattern is consistent — adversaries are chaining low-friction entry points like browser extensions, public package registries, and identity flows rather than burning zero-days.