FBI director Kash Patel's apparel site hosts clickfix malware

The website for FBI director Kash Patel’s apparel brand is serving a 'ClickFix' malware attack that prompts visitors to download malicious software under the guise of a system update [PCMag]. The attack uses social engineering to mimic a legitimate software installer, targeting Windows users who visit the site.

The malicious payload is delivered through a compromised third-party component on the website, indicating a supply chain breach. ClickFix attacks typically exploit trust in familiar interfaces, urging users to 'update' software that doesn’t need updating. In this case, the installer masquerades as a routine system patch, but would grant attackers access to the victim’s machine.

This incident exposes critical weaknesses in third-party web dependencies, even on sites linked to high-profile public figures. The fact that the FBI director’s own commercial site is hosting malware underscores how easily supply chain flaws can bypass traditional security postures. No evidence suggests Patel or his team orchestrated the attack, but the domain’s association amplifies its credibility and potential reach.

Security researchers stress that client-side supply chain attacks are rising, with over 60% of web breaches in 2025 involving compromised third-party scripts [PCMag]. Filtering or sandboxing external code could mitigate such risks, yet many e-commerce platforms lack these protections.

The site remains active as of May 24, 2026, and no public response from Patel’s team has been issued.