ClickFix Blocker logo ClickFix Blocker
● Cross-platform · Open source · Privacy-first

Block malicious commands before you ever paste.

ClickFix Blocker detects and stops ClickFix / pastejacking clipboard hijacking and fake terminal-command social engineering — across Windows, macOS and Linux.

Add to Chrome See how it works
🔒 Detection runs 100% on your device and works offline. Community shield is optional and off by default.
ClickFix Blocker blocking a malicious clipboard command
100%
On-device detection
Zero
Trackers · cookies · ads
3 platforms
Windows · macOS · Linux
Opt-in
Community reporting is off by default

A line of defense around the paste

ClickFix attacks don't exploit bugs — they trick you into copying a malicious command and pasting it into a terminal. We intercept that at every step.

Clipboard API interception

Overrides clipboard.writeText, ClipboardItem and DataTransfer.setData so pages can't silently write to your clipboard.

Manual-copy protection

When you're tricked into manually copying a malicious command, we intercept the copy event and replace it with a safety notice.

Decode & match engine

Decodes Base64 (incl. PowerShell -enc UTF-16LE) and Hex before matching, so attacks hidden in encoding can't slip through.

Cross-platform signatures

Covers PowerShell, curl|sh, osascript and "Press Win + R" lures drawn from real ClickFix / FakeCAPTCHA campaigns.

See it protect you

No scaremongering. It explains what happened in plain language and safely quarantines the command.

Blocking a Windows PowerShell clipboard command
Stops malicious clipboard commands in real time.
Catching a Press Win + R lure
Catches the #1 trick — the "Press Win + R" lure.
On-device and private by design
100% on-device. Private by design.

Privacy by design

Detection happens in your browser. Nothing is sent by default — the community shield is something you choose to turn on.

100% on-device detection

All matching and blocking runs locally and works offline. No uploads by default.

No personal data, ever

No IP, cookies, browsing history or personal identifiers. No ads or third-party trackers.

Community shield is opt-in

Off by default. When on, a blocked event reports only the domain, pattern category and OS class.

On-device AI stays offline

The optional AI risk note uses the browser's built-in model — no download, no network request.

Read the full Privacy Policy →

Questions

What is a ClickFix / pastejacking attack?

Attackers use fake verification pages, fake CAPTCHAs or "fix it" steps to trick you into copying a command and pasting it into PowerShell, a terminal or Win+R — running malware on your machine. It relies on social engineering rather than a software bug, so traditional antivirus often misses it.

Does it collect my data by default?

No. Detection and blocking happen entirely on your device and stats stay local. Only when you turn on the community shield does a blocked event get reported anonymously — and only the malicious domain, pattern category, OS class, a quarantined snippet (max 150 chars) and a random install id. No IP, no cookies, no personal data.

Which browsers and systems are supported?

Chromium-based browsers like Chrome, Edge and Brave. Detection signatures cover attack patterns on Windows, macOS and Linux.

Free, privacy-first, and active instantly.

No setup after install — clipboard protection works on every site right away.

Add to Chrome — free

* Pending store review; you can load it via developer mode in the meantime. See the project docs.