I've copied terminal commands straight off the web more times than I can count, usually for blog tooling, a diagram generator, some CLI flag I keep forgetting. I do check the source, whether it's Stack Overflow or a GitHub issue. But when I'm in a hurry, I paste first and read never. It turns out that exact habit is the delivery channel for one of the most troublesome attack techniques in the wild right now.
The fake CAPTCHA is just the opening act
ClickFix attacks start small. A video won't play, or a "verify you are human" check keeps failing, and the error screen helpfully offers a fix: copy this command, open the Run dialog (Windows key + R) or PowerShell, paste it, done. The user just wants to get past the check, so they follow along. The moment they press Enter, the pasted command runs. Malware installs, saved passwords leak, or the attacker gets remote access to the whole machine.
According to security firm Huntress, this technique accounted for more than 53% of malware delivery incidents in 2025. Past the halfway mark, it has stopped being an exotic trick and become the mainstream delivery method. In May, attackers exploited a SQL injection flaw in Ghost CMS (CVE-2026-26980) to compromise over 700 education and tech websites at once, then served visitors a fake Cloudflare verification page, as Malwarebytes reported.
Why your antivirus never sees it: you pressed Enter yourself
So why hasn't security software been catching this? The answer is simple. Antivirus and email filters are built to watch files arriving from outside, whether that's a sneaky download or a malicious attachment. ClickFix never sends a file for them to inspect. The user looks at the command with their own eyes, copies it by hand, pastes it into a terminal, and presses Enter. From the operating system's point of view, that is indistinguishable from the owner running a normal command.
A Help Net Security article quotes the key insight: the core of a successful ClickFix attack is "weaponizing the user." The latest antivirus is useless in that gap, and attackers don't even need to hunt for vulnerabilities. Human habits are enough. That's why this thing grew so fast.
Opera decided to watch the clipboard itself
Opera's answer to this gap is a feature called Paste Protect. The approach is clever. Instead of matching known malware signatures against a database, it detects the command patterns typical of ClickFix on Windows, macOS, and Linux. If something you copied from a web page matches a suspicious pattern, the copy itself gets blocked and a red icon appears in the address bar. You can view the first 120 characters of the blocked command if you want to see what it was, and if you still insist on proceeding, you have to hold a button down for more than five seconds. Opera bundled in clipboard hijacking protection too, which stops the bank account or crypto wallet address you copied from being silently swapped for the attacker's.
Because it looks at behavior patterns rather than signatures, new variants should still get caught. That's the part Lifehacker emphasized in its coverage. The catch is that only people who use Opera as their browser get any of this. Chrome, Edge, and Safari users have no equivalent built-in defense yet.
Your hands should stop before your browser does
So the practical fix, at least for now, is less about switching browsers and more about breaking a habit. A real CAPTCHA never asks you to copy a command and run it somewhere. It's a checkbox, or picking a few traffic lights out of a grid. Treat the phrase "paste this into your terminal" on any popup as the warning sign itself. The Windows Run dialog and PowerShell are windows most people have no reason to open even once a day unless they work in development or IT. If an unfamiliar web page is telling you to open one, the premise of the conversation is already broken. Read every command before you paste it, and never run one you don't understand. Those two rules alone defuse most of this attack.
Opera shipping this is welcome news, but I wouldn't outsource the whole problem to a browser. I'm staying on Chrome as my daily driver. What I did change after reading about this: before any copied command goes into a terminal, I stop and actually read it. Given how much command-copying my blog tooling involves, that one brake pedal seems worth installing on my side too.
Thanks for reading. Happy hacking!

Top comments (0)