Hackers used a single compromised media outlet account to serve fake 'fix your browser' prompts, exploiting a publisher side trust gap that has no equivalent to the safeguards protecting software supply chains.
A Gizmodo reader who clicked into the site from a search result on June 20, 2026 did not get an article. They got a fake "your browser is out of date" prompt, a familiar-looking box that asked them to copy a line of text, open the Run dialog or terminal, and paste it in to "fix" a problem they did not have. That prompt was ClickFix, a social-engineering technique that turns the reader into the installer, and it was being served from Gizmodo's own domain through a single compromised account inside the publisher. (The Register; reader screenshots at Julia Metraux on Bluesky)
Gizmodo confirmed the incident the same day in a post on X, saying a single account had been used to inject a malicious client-side script into article pages, that the script had been removed, and that the site was briefly taken offline while the account was secured. The Register independently verified on Monday, June 22, that Gizmodo was no longer serving the prompts. What the publisher has not said is which account was compromised, how long the bad script ran, or how many readers were exposed. The window appears to have been hours, not days, based on the timeline of user reports, and Gizmodo has not contested that framing.
The technique, ClickFix, is a social-engineering pattern that abuses the trust users place in ordinary system prompts. Instead of tricking the user into downloading a malicious file, ClickFix serves a fake CAPTCHA, a fake "your browser is out of date" notice, or a fake error message that instructs the user to copy and paste a command into the operating system's Run dialog or a terminal. The malware is whatever the attacker decides to load next, because the user has just given the attacker local code execution on their own machine. Researchers at Proofpoint have been tracking the pattern through a program they call ErrTraffic, a ClickFix-as-a-service operation that lets affiliates plug in their preferred final payload. (Proofpoint threat researcher Tommy M on Infosec Exchange)
The Gizmodo delivery was attributed by Tommy M to an ErrTraffic affiliate. The Windows payload was NetSupport RAT, a program built on top of NetSupport Manager, a legitimate remote-administration tool used by IT departments to fix employee machines. Once installed, the remote-access client lets an attacker browse the file system, exfiltrate documents, and load additional payloads such as ransomware. The same dual-use pattern has been documented by Darktrace across other intrusions. The macOS payload, by contrast, appeared to be misconfigured: the ZIP archive was password-protected, and the user had no way to open it. The failure was apparent, not provable, and a broken dropper is not the same as a safe one.
Treat the question of who was exposed as open. Gizmodo has not published a count, and there is no public telemetry on how many visitors received the injected script during the active window. What is structural, and what makes this story worth sitting with, is the trust channel the attackers walked through. A major media site is supposed to be a controlled surface: the publisher controls the homepage, the article pages, and the code that runs on them. In practice, modern publishing is a stack of third-party accounts: a content management system, a tag manager, an ad server, a script loader, a comment widget. Any one of them can inject arbitrary JavaScript into every page on the domain. There is no per-script signing, no software bill of materials, and no integrity channel that lets a reader's browser tell the difference between a script the publisher chose and a script an attacker uploaded through a stolen credential. The reader's address bar still says gizmodo.com, the page still loads over HTTPS, and the browser has no reason to refuse the payload.
This is the same shape as the software supply chain attacks that made SolarWinds and 3CX catastrophic. In those cases, a single compromised vendor account let attackers rewrite signed software that thousands of customers installed in good faith. The publisher-reader channel has the same structure, only without the signing, without the SBOM, and without a regulated breach-disclosure trigger when it breaks. The controls that exist for software vendors do not yet exist for media domains, and the attacker does not need to compromise the publisher. They only need to compromise one account inside the publisher.
The reader-side takeaway is uncomfortable and useful: a trusted domain is not the same thing as a trusted page. A link from a major outlet is a reasonable starting point, not a safety guarantee, and the safest habit is still the unglamorous one. Read the prompt before you paste into it. If a site asks you to copy a command, run a "fix," or open your terminal to prove you are human, that prompt is the attack, and no domain name in the address bar can change that.