A live demonstration of clipboard hijacking — the social engineering technique used to deliver TELEPUZ and dozens of other malware families in 2026. See exactly what happens between copy and paste. Runs entirely in your browser. No data leaves your machine.
BROWSER-BASED · NO SERVER · NO DATA UPLOAD · EDUCATIONAL USE ONLY
⚠️
Educational Demonstration Only
This tool simulates a ClickFix clipboard hijack using a defanged, non-functional payload for awareness training. No real malware is involved. The command shown is based on the TELEPUZ campaign documented by Elastic Security Labs (July 2026) and has been modified to be completely harmless.
Step 1 — Copy the command from the page below
docs.config-helper.dev/install
Quick Install — @utils/config-helper
The fastest way to get started. Copy the command below and paste it into your terminal.
1
Make sure Node.js 18+ is installed
2
Copy the install command below
3
Paste and run in your terminal
Install Command
npm install @utils/config-helper
⚠ Clipboard Hijacked — You Have No Way to Know This Happened
You clicked Copy. JavaScript on the page silently replaced your clipboard with a malicious PowerShell command. The page looks exactly the same. Nothing changed visually. Your clipboard now contains something you never read. Now paste into the terminal below.
Step 2 — Paste into the terminal below and click Run
Terminal — bash
Paste here with Cmd+V or Ctrl+V, then click Run
$
ClickFix Detection ReportTHREAT DETECTED
What You Saw on the Page
npm install @utils/config-helper
What Was in Your Clipboard
Attack Type
ClickFix — JavaScript Clipboard Hijack
Payload Family
What Would Happen
What just happened to you
You copied what looked like a routine npm install command. JavaScript on the page replaced your clipboard with a PowerShell command that would have downloaded and executed TELEPUZ — a modular MaaS payload active since April 2026 with 36 commands including a keylogger, credential stealer, Chrome cookie extractor, and a Polygon blockchain-based C2. You saw nothing unusual. The page looked legitimate. The action felt mechanical. That is exactly how ClickFix works.
ClickFix is not a software vulnerability. There is no CVE, no exploit, no zero-day. It is a manipulation of a reflex so ordinary most people never question it — the copy-paste action that happens dozens of times a day without conscious thought.
Moment One
You Click Copy
JavaScript fires the moment you interact with the copy button or press Cmd+C. In a single silent operation it overwrites your clipboard with a malicious command. The page shows no error. Nothing changes visually. The action takes milliseconds.
Moment Two
You Paste and Run
You open your terminal and paste. The input field shows the malicious command — but you expect to see what you copied, so you may not read it carefully. You hit Enter. The command executes. The attack is complete before you have any indication something is wrong.
Why It Works
You Are the Execution Engine
No exploit needed. No file to download. No browser vulnerability. The user runs the command themselves — bypassing endpoint detection that looks for files landing on disk. The email that sent you to the page is where the chain starts. That is where it can be stopped.
The TELEPUZ connection: In the campaign documented by Elastic Security Labs (July 16, 2026), the ClickFix lure delivered a PowerShell command that downloaded VIDAR, which installed TELEPUZ — a modular MaaS payload with keylogging, credential theft, Chrome cookie extraction, UAC bypass, and a Polygon blockchain smart contract used as both a C2 resolver and a kill switch. The email that delivered the link is where the chain starts and where it can be stopped.
The TELEPUZ Infection Chain
Stage
Component
What It Does
Email
Phishing lure
Unsolicited email with link to fake documentation or CAPTCHA page
Stage 1
ClickFix
JavaScript hijacks clipboard; user executes PowerShell thinking it is something else
Stage 2
VIDAR (Go variant)
Dropper — downloads TELEPUZ stager and main payload from staging domain
Stage 3
TELEPUZ
Full MaaS payload — 36 commands, keylogger, stealer, blockchain C2, UAC bypass, SYSTEM privilege escalation
Four things to check before you paste a command from the internet — or click a link from an unsolicited email.
1
Read What You Paste Before You Run It
Before pressing Enter, look at the actual text in your terminal input — not the page you copied from. If it does not match what you expected, you have caught a ClickFix attack. This single habit stops it unconditionally.
2
Any Page That Asks You to Paste Into a Terminal Is Suspicious
Legitimate documentation gives you commands to copy and run. A page that creates urgency around pasting — a CAPTCHA that requires you to run a command, an error page that asks you to "fix" something by pasting — is a ClickFix lure regardless of how official it looks.
3
Check the Link Destination Before You Click
Hover over links in email before clicking. In the TELEPUZ campaign, every staging domain used a non-standard TLD — .lol, .shop, .lat, .click, .sbs, .cfd, .asia, .xyz, .club. No legitimate developer documentation lives on these domains. If you see one in an unsolicited email, stop.
4
If You Email Commands to Yourself — Read Them Before You Run
A common workflow: copy a command, email it to yourself to use later on another machine. If the clipboard was hijacked when you copied, the malicious command is now in your sent mail. Your future self will paste it without suspicion. Paste into a plain text editor first, read it, then run it.
For security teams: ClickFix campaigns are email-delivered. The phishing message is the first contact and the cleanest detection opportunity — before the clipboard is touched, before any code runs. Detection rules targeting the email delivery layer (suspicious TLDs in links, urgency language, unsolicited senders) can interrupt the chain at stage zero. A companion Sublime Security detection rule targeting ClickFix email delivery patterns is in development.