alt.hn

5/23/2026 at 12:34:25 AM

FBI director's Based Apparel site has been spotted hosting a 'ClickFix' attack

 https://www.pcmag.com/news/kash-patels-apparel-site-is-trying-to-trick-visitors-into-installing-malware

by bilalq

5/23/2026 at 1:08:08 AM

For people that can't grok the title and the article like me:

- BasedApparel.com is a website owned by a person that happens to be the FBI director now. (he owned it before he became the director if it matters)

- The website BasedApparel.com was hacked and the hackers added a malicious click here to verify you are human section that tried to have you download a malicious payload if you were on macos.

by analogpixel

5/23/2026 at 1:16:25 AM

> he owned it before he became the director if it matters

All the more reason that those who "serve" in the government should be required to divest of their business interests. The traffic such a site would get due to the tribalism prevalent in US politics makes it a fat target, and potentially a national security threat.

by bdcravens

5/23/2026 at 10:48:12 AM

This is not good. What it achieves, is that the quality of people who assume office sinks even lower than it is today, since anyone with a modicum of competence, would never divest a business for a low paid, public job.

On the other hand... you _do_ have a point here. Care must be taken to make sure that the persons business does not profit by the PR and media exposure related to the position they are taking.

I don't know how to do this. Maybe someone else runs their business at arms length? Maybe tracking the revenue and profit to catch sudden upward swings?

And adding to this, it should of course be completely illegal for politicians, US and other nations, to profit from insider trading.

by abc123abc123

5/23/2026 at 11:05:51 AM

I disagree. I think the caliber of public employee, and their integrity, would be much higher if they were "only" allowed to collect their salary.

No state employee would be allowed to run a business like this while employed where I live (sapphire-blue New England state FWIW). Government positions are fairly, but not extravagantly, compensated, prestigious and come with excellent benefits. They should not be an avenue for accumulation of riches. It clearly does not work well and we're not getting the country's best.

by compass_copium

5/23/2026 at 2:14:50 PM

The person should also work for minimum wage, since that is a sign that the welfare of the community is more important than the employee's own. Perhaps weekly self immolation sessions would take that up a notch? What about divesting one's family because they might take attention away from important government work?

by yostrovs

5/23/2026 at 3:27:11 PM

The roughly $200k/year that department heads, congress, etc get is hardly minimum wage. No one is even suggesting they should lose the assets they've built up, just that they shouldn't be allowed to own a business while serving the public.

by bdcravens

5/23/2026 at 3:00:07 PM

You’re not even going to try to argue in good faith, are you? No one suggested anything close to what you’re saying.

by mikestew

5/23/2026 at 5:44:06 PM

> What it achieves, is that the quality of people who assume office sinks even lower than it is today, since anyone with a modicum of competence, would never divest a business for a low paid, public job.

Unless of course those with a modicum of competence desire to be true public servants. Read about the character of some of our great leaders like Washington, Lincoln or Eisenhower to understand the mentality of a true public servant. Something someone like Kash Patel knows nothing about.

I don’t think this level of virtue is all that rare, though it is rarely rewarded at the ballot box.

by jaredklewis

5/23/2026 at 3:19:34 PM

> a low paid, public job

I think there should probably be a level at which those requirements kick in, but keep in mind that most of the jobs we're talking about pay around $200k/year, with many of the daily and life expenses included as benefits, pushing the equivalent salary even higher.

It's not like they lose their money or lose the ability to invest their pre-public money. They could sell their business interests, then take the proceeds and put the money into a broad market fund (to prevent company- or industry-specific conflicts of interest). I'd even suggest making them exempt from capital gains should they choose to sell.

by bdcravens

5/23/2026 at 2:35:59 PM

I’m not a CPA, but aren’t there plenty of legal ways to divest in a business where you’re not directly involved, but where you can still get a share of any profits?

by etothet

5/23/2026 at 3:26:59 PM

If you're getting profits, it's an avenue for bribery.

"Hey Ka$h, can we have a quick discussion about my federal racketeering case? Btw I just purchased 10000 $40 shirts from your store to give away."

by compass_copium

5/23/2026 at 4:13:39 AM

Im a big fan of divesting in these scenarios but i dont know how that would help in this scenario specifically. His current role and his previous ownership made the site a target, but it would be a target regardless of who owns it currently.

by wheelerwj

5/23/2026 at 6:47:46 AM

It is the mix of high-security high-visibility national impact with organizations that are completely unequipped to operate in that arena.

> it would be a target regardless of who owns it currently.

The commonality of attacks makes it more important to eliminate distracting dependencies for critical leaders. Not less.

There is a reason top security clearances have requirements no normal organization could make on their employers. Lack of loose vectors is even more important for leaders.

by Nevermark

5/23/2026 at 2:54:19 AM

So it's not where you buy those shirts that say "Female Body Inspector?"

by gensym

5/23/2026 at 2:07:23 AM

> if you were on macos

Did they only target macOS? The article mentions macOS a lot, but AFAIK this attack changes the instructions based on the User-Agent. I've seen the exact page with instructions for Windows and PowerShell before.

by mzajc

5/23/2026 at 5:53:47 AM

Honestly, I can't think of a more deserving bunch of people than the owner and target customers of that website. Super genius people like that need entertaining challenges in their lives to perform at their peak.

by anigbrowl

5/23/2026 at 1:56:05 AM

>happens to be

This is not normal, other (decent) countries are not like this

by morkalork

5/23/2026 at 4:02:12 AM

Sarcasm is hard to spot in raw text.

by zombot

5/23/2026 at 3:59:13 AM

Has it been hacked? I mean, Trump's accomplices running conspicuous scams would not exactly be a surprise. They are all immune from prosecution, after all.

by zombot

5/23/2026 at 3:41:11 AM

Oh, I also got one: https://wiki.archlinux.org/index.php?title=Special:CreateAcc...

> To protect the wiki against automated account creation, we kindly ask you to answer the question that appears below (more info): What is the output of: LC_ALL=C pacman -V|sed -r "s#[0-9]+#$(date -u +%m)#g"|base32|head -1

Wait, they really do that...

by J-Kuhn

5/23/2026 at 4:06:26 AM

If you can't understand that command before pasting it in your terminal, then you probably shouldn't be editing the Arch Linux wiki.

by alright2565

5/23/2026 at 6:12:09 AM

My issue with this style of verification is more that it normalises running commands right in the terminal. Commands that come from place you kind of trust. And poof at some point it will contain some nefarious code. Instead of using a package manager (the curl to bash variant) or running these commands in a container/vm.

by spockz

5/23/2026 at 11:18:46 AM

Arch Wiki's core content is instructions of what commands to run right in the terminal.

by jampekka

5/23/2026 at 9:02:24 AM

Agreed, this is the first thing I thought of too. Don't teach people to paste unknown commands into their terminal!

by stavros

5/23/2026 at 4:41:26 AM

They have a similar command for the Arch Linux forum, where beginners are encouraged to ask questions

by PlasmaPower

5/23/2026 at 9:34:25 AM

Then write and highlight exactly that! ( e.g. "Never copy or execute code you do not understand! This is only for people who already know what will happen! Confirm:")

Forget about teaching people bad patterns. It's annoying when others assume everyone experiencing something under the same context and considers the same things as them.

by class4behavior

5/23/2026 at 4:46:09 PM

To be fair, just because you understand the code you see doesn't mean its safe to copy-paste. Many of these compromised sites will show something that appears to be a benign command but will be something entirely different when you copy them.

Not good to get people into the habit of copying and running code in their terminal.

by scratchyone

5/23/2026 at 7:13:30 AM

Also you need, to some extent, to understand that it’s something to execute in a terminal, because it doesn’t tell you that bit.

by chrismorgan

5/23/2026 at 2:21:05 AM

> The attack seems to work by spanning various instructions that if run through macOS’s Terminal utility could steal stored credentials from Chromium-based browsers along with data from cryptocurrency wallets, placing them into a zip archive then sent to a hacker-controlled domain.

What is it about Chromium based browsers that this attack narrows down to? Is it something technical in the ease of stealing information or just the imagined market share by the attackers? As per Cloudflare’s statistics browser share on macOS [1], it seems like Google Chrome users are a little less than two thirds of the total user base. But Safari still holds one third of the user base. Ignoring Safari seems like a poor mistake.

[1]: https://radar.cloudflare.com/reports/browser-market-share-20...

by newscracker

5/23/2026 at 6:48:07 AM

I wonder if they aren't using the macOS keychain, while Safari does.

by a_t48

5/23/2026 at 5:48:10 AM

The economy is so bad even the Director of the FBI has a side gig.

by rbobby

5/24/2026 at 5:50:51 PM

"Look at the crimes the economy made me do" doesn't really work after a certain level of affluence though.

by Terr_

5/23/2026 at 10:26:11 AM

President himself has several

by bdangubic

5/23/2026 at 12:44:40 AM

Thank you Based God

by NDlurker

5/23/2026 at 12:58:46 AM

What next? The trump phone shipping Chinese malware. Unthinkable!

by ray_v

5/23/2026 at 1:20:42 AM

It wouldn't be Chinese. It would be Russian.

by jmward01

5/23/2026 at 2:21:34 AM

Amazes me that, after the events of the past 3 years, so many people still think Russia is the major foreign influence on our politics.

by Georgelemental

5/23/2026 at 3:10:13 AM

The existence of other influences does not diminish the fact that Trump is enamored with Putin (and most "strong man" dictators generally, but Putin in particular) and it does impact his foreign policy decisions and those of his administration (Hegseth straight up canceled weapons shipments to Ukraine for 2 weeks in the aftermath of the Oval Office meeting thinking it would please the boss).

by dralley

5/23/2026 at 2:07:33 PM

Trump is currently quite mad at Putin because Putin refused to accept Trump's terms. They are not friends, and never have been. Meanwhile, there's another foreign leader that Trump has decided to start a war on behalf of—but the leadership of the other American party loves that foreign leader just as much as Trump does, so their loyal media outlets downplay it and distract with the fake Russia nonsense.

by Georgelemental

5/23/2026 at 4:07:07 AM

[flagged]

by SV_BubbleTime

5/23/2026 at 1:32:19 AM

To paraphrase Hickam's dictum, a phone can have as many sources of malware as it damn well pleases.

by kibwen

5/23/2026 at 9:30:17 AM

The topicality of this deep-cut joke is incredible.

by Paracompact

5/23/2026 at 3:38:31 AM

Don't be ridiculous, it would be Israeli.

by tdeck

5/23/2026 at 4:04:09 AM

They make the best, no doubt, but would the Trump phone have the best of anything?

by zombot

5/23/2026 at 1:32:07 AM

Why not both?

by wmf

5/23/2026 at 2:12:15 AM

To what point? Do we actually think Trump would use a Trump phone? Otherwise, they'd just be getting data on die hard MAGA types that have nothing to do with anything juicy

by dylan604

5/23/2026 at 5:56:01 AM

Having 600k extremely credulous people at your beck and call is a tempting target for any powerful actor.

by anigbrowl

5/23/2026 at 2:39:18 AM

Patel's site was just dropping sauce: overdose of sauce

by BoorishBears

5/23/2026 at 6:24:17 AM

Why does the FBI director have a merch store...?

by swarnie

5/23/2026 at 1:25:24 AM

And once again, another prime example that we do not live in a serious country

by Group_B

5/23/2026 at 6:14:52 AM

I would like to see serious cross-party dialogue on how to avoid ending up in a situation where there’s an FBI director who sells meme clothing.

I don’t think it’s unfair to blame cowardice and venality of individual Republican politicians in the face of being primaried, although it definitely needs an asterisk that we don’t know that the left’s Senators and Congressmen would do any better under the same situation.

by petesergeant

5/23/2026 at 5:15:00 PM

I would say it is up to republicans to do something about the clowns they appointed into high level office, and it’s up to democrats to continue their pattern of not appointing clowns like this into high level office.

by incidentist

5/23/2026 at 1:03:38 AM

> The attack suggests a hacker compromised some portion of BasedApparel.com

by mjmas

5/23/2026 at 7:56:44 AM

Would this be a news if it was not owned by FBI director? Do we really expect the FBI director to be responsible for this? He probably outsourced it to some company. This is an inflammatory headline.

by iamkrazy

5/23/2026 at 7:58:52 AM

it’s absolutely news worthy.

we do (and absolutely should) have higher expectations of the head of one of the most powerful organizations in the world. said organization that goes after malicious actors makes it even more newsworthy.

by toofy

5/23/2026 at 8:01:16 AM

Said organization has nothing to do with this e-commerce website.

by iamkrazy

5/23/2026 at 8:25:48 AM

Sure, but they do after hackers like the ones attacking Based Apparel.

I wouldn't hire a doctor either that has food poisoning every two weeks.

I wouldn't hire a security guard that gets held up often.

by golem14

5/23/2026 at 9:40:00 AM

Never trust a skinny chef.

by Paracompact