Clipboard & Autofill Attacks

1 · Pastejacking — what you copy isn't what you get

A page can listen for the copy event and rewrite what lands on your clipboard. The box shows a harmless command; with hijacking on, the clipboard gets something extra. This is real (within this frame) but the payload is a harmless echo string.

The command shown on the page

npm install cool-lib

Site hijacks the copy event

What actually went onto your clipboard

— copy something to see —

Verify for real — paste here (Ctrl/Cmd+V)

You can also just select the text above and press Ctrl/Cmd+C — the same copy-event hijack fires.

2 · ClickFix lure — the "paste to verify" trap simulated

The 2024–25 wave: a fake CAPTCHA copies a command to your clipboard, then tells you to paste it into the Windows Run dialog / Terminal. Nothing here runs — this is an awareness mock so you recognize the pattern.

⚠ Verify you are human

Complete the steps to access the content

I'm not a robot

Press Win + R to open the Run dialog
Press Ctrl + V to paste the verification code
Press Enter to verify

What the “verification code” really is

3 · Hidden autofill harvesting

A form shows two innocent fields, but hides several more off-screen. When the browser/password manager autofills, it can fill the hidden ones too — and they're submitted to the attacker. Reveal them, then simulate an autofill.

Reveal hidden fields Apply fix (don't fill hidden)

What gets sent to the server on submit

— autofill, then submit —