I was of the opinion that MacBooks are comparatively safer than different laptops, however I’ve been confirmed improper. Embarrassingly and demonstrably improper. A brand new report from Sophos X-Ops has spared no effort in rubbing my nostril in it.
Researchers on the agency tracked three separate assault campaigns between November 2025 and February 2026, all of which focused macOS customers with one thing referred to as the MacSync infostealer. For these catching up — it’s a sort of malware that quietly rifles by way of your passwords and saved credentials, appearing like a digital pickpocket.
Nirave Gondhia / Digital Traits
So, how does it truly work?
The malware used a supply technique referred to as ClickFix, which requires minimal technical effort. It simply wants the victims to repeat and paste a command into their Mac’s Terminal (designed to run and execute text-based instructions) and press enter on the keyboard.
First, dangerous actors used pretend OpenAI obtain pages, which have been circulated through sponsored advertisements on Google (sitting proper above the professional hyperlink). Then, they obtained much more inventive: attackers began sharing rear ChatGPT shared conversations disguised as “useful Mac guides.”
These guides routed customers into pretend GitHub pages, which contained rigorously created software program set up directions, however in actuality, they requested customers to repeat a terminal command, permitting the ManSync infostealer to work within the background. That’s it; that’s the entire assault.
Apple
How dangerous did it get?
Sophos has came upon that by December 2025 alone, dangerous actors had routed greater than 50,000 clicks on such malicious domains. A “click on” implies that somebody copied the malicious terminal command, however not essentially that the malware efficiently put in; the precise an infection rely may very well be decrease.
The builders put one other spin on their attacking technique in February 2026, permitting it to run silently within the background, bypassing the competent macOS safety instruments resembling Gatekeeper and XProtect. It may well, in a really possible way, patch your ledger crypto pockets’s 24-word grasp key.
The agency studies that an infection clusters have been lively in key markets, together with elements of North and South America and India, as not too long ago as weeks earlier than they printed the article (by the top of the start of March, presumably).
Furthermore, the notion that “Macs are protected,” is at the very least, in the meanwhile, not true. As AI platforms develop in recognition, and, extra importantly, achieve the belief of thousands and thousands of customers, dangerous actors are arising with new methods to make use of the LLMs-driven instruments to their benefit. For now, I’d advise you to not paste any text-based command into your Mac’s Terminal.
