macos

Critical OpenVPN Connect for macOS Vulnerability Let Attackers Execute Arbitrary Commands

A critical privilege escalation vulnerability (CVE-2026-9560) in OpenVPN Connect for macOS allows local attackers to execute arbitrary commands with root privileges via the application's privileged helper service, affecting versions 3.5.1 through 3.8.1. Security researchers have disclosed the flaw responsibly, urging users to update immediately to mitigate risks of local exploitation and potential lateral movement in shared macOS environments.

https://cybersecuritynews.com/openvpn-connect-for-macos-vulnerability/

New macOS Stealer Campaign Uses Script Editor in ClickFix Attack

A new macOS malware campaign delivering the Atomic Stealer exploits the built-in Script Editor app via a variation of the ClickFix attack, tricking users into running malicious scripts without manual Terminal interaction. The attack uses fake Apple-themed websites that launch Script Editor with pre-filled code to download and execute obfuscated payloads, targeting sensitive data such as Keychain items, browser passwords, and cryptocurrency wallets. Mac users are advised to treat Script Editor prompts with caution and rely only on official Apple documentation for system guidance.

https://www.bleepingcomputer.com/news/security/new-macos-stealer-campaign-uses-script-editor-in-clickfix-attack/

ClickFix Campaigns Spread MacSync macOS Infostealer Via Fake AI Tool Installers

Multiple ClickFix campaigns have been identified spreading the MacSync macOS information stealer through fake AI tool installers that trick users into running malicious Terminal commands. These campaigns leverage malvertising and social engineering, often using trusted platforms and search ads to lure victims, with recent variants employing advanced evasion techniques to harvest sensitive data like credentials and cryptocurrency wallet seed phrases. Security experts warn that these evolving tactics exploit developers’ trust in command-line installs and have been adopted by multiple threat actors targeting both macOS and Windows environments.

https://thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html

The AMOS Infostealer Is Piggybacking ChatGPT’s Chat-sharing Feature

Cybercriminals are spreading the AMOS (Atomic MacOS Stealer) infostealer using convincing Google ads and ChatGPT’s chat-sharing feature. Victims are directed to a legitimate-looking chatgpt.com page showing a fake guide to installing the non-existent Atlas browser for macOS. The guide instructs users to run a terminal command, which downloads malware, steals passwords, browser, and wallet data, and installs a persistent backdoor. Users are advised to avoid running terminal commands from untrusted sources, use trusted security solutions, and seek expert advice if instructions seem suspicious.

https://www.kaspersky.com/blog/share-chatgpt-chat-clickfix-macos-amos-infostealer/54928/

Fake LinkedIn Jobs Trick Mac Users Into Downloading Flexible Ferret Malware

Mac users targeted by fake LinkedIn job offers to download Flexible Ferret malware via counterfeit software updates. Attackers impersonate recruiters to steal passwords and gain covert access through a backdoor. Individuals are advised to keep software updated, avoid running unverified commands, use real-time anti-malware, and verify sender authenticity to stay safe.

https://www.malwarebytes.com/blog/news/2025/11/fake-linkedin-jobs-trick-mac-users-into-downloading-flexible-ferret-malware

New XCSSET Malware Adds New Obfuscation, Persistence Techniques to Infect Xcode Projects

New XCSSET malware variant enhances techniques for infecting Xcode projects, employing improved obfuscation, persistence methods, and novel infection strategies. This modular macOS malware targets developers via their Xcode projects, using encoded payloads and enhanced scripting for stealth. Its modular design enables complex multi-stage infections, focusing on stealing user information and while remaining difficult to detect. Mitigation includes using updated OS versions, inspecting Xcode projects, and employing Microsoft Defender for security against threats.

https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware-adds-new-obfuscation-persistence-techniques-to-infect-xcode-projects/

Microsoft Spots XCSSET macOS Malware Variant Used for Crypto Theft

Microsoft has identified a new variant of the XCSSET macOS malware targeting sensitive user information for crypto theft. This updated malware features improved obfuscation, persistence methods, and novel infection techniques, typically spread via contaminated Xcode projects. Key modifications include sophisticated encoding methods, persistent payload behaviors, and the ability to manipulate Xcode project settings. Microsoft recommends users verify their Xcode projects to prevent potential compromises.

https://www.bleepingcomputer.com/news/security/microsoft-spots-xcsset-macos-malware-variant-used-for-crypto-theft/

Stealers on the Rise: a Closer Look at a Growing macOS Threat

TLDR: macOS infostealers—Atomic, Poseidon, and Cthulhu—are rapidly increasing, causing significant data theft and risks for organizations. Notably, infostealers accounted for the largest group of new macOS malware in 2024, with a 101% increase detected. They exploit AppleScript to trick users into giving up sensitive information. Advanced protection methods from Palo Alto Networks, including Cortex XDR, are crucial for defense against these threats.

https://unit42.paloaltonetworks.com/macos-stealers-growing/

Analyzing CVE-2024-44243, a macOS System Integrity Protection Bypass Through Kernel Extensions

CVE-2024-44243, found by Microsoft Threat Intelligence, is a serious macOS vulnerability that allows attackers to bypass System Integrity Protection (SIP) by loading unauthorized kernel extensions. This compromise could lead to the installation of rootkits and other malicious activities by enhancing the attack surface. Microsoft collaborated with Apple for a fix included in December 2024 security updates. The importance of monitoring specially entitled processes is emphasized due to their potential in bypassing security measures. The research underlines the necessity of proactive monitoring and cooperative efforts in enhancing cybersecurity across platforms.

https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/

Banshee 2.0 Steals Apple’s Encryption to Hide on Macs

Banshee 2.0, a malware infostealer for Macs, uses an encryption method taken from Apple's antivirus to evade detection, spreading mainly through Russian cybercrime platforms and phishing schemes. It targets browser credentials and cryptocurrency wallet information. Initially detected by antivirus programs, a new version remained hidden for months until its source code leaked, prompting heightened vigilance among macOS users regarding emerging threats.

https://www.darkreading.com/threat-intelligence/banshee-malware-steals-apple-encryption-macs

SysBumps – New Kernel Break Attack Bypassing macOS Systems Security

Researchers from Korea University exposed “SysBumps,” an attack on macOS systems using Apple Silicon. It exploits speculative execution vulnerabilities to bypass Kernel Address Space Layout Randomization (KASLR), a key security feature. By manipulating system calls and using the Translation Lookaside Buffer (TLB) as a side channel, attackers can accurately map kernel memory, achieving over 96% success in locating the kernel base address. This undermines existing kernel isolation techniques. Apple is investigating, and proposed countermeasures include TLB partitioning and code reordering. Users are advised to keep systems updated for future fixes.

https://cybersecuritynews.com/sysbumps/

Scroll to Top