Attackers have launched a clever two-step trap targeting Mac users who search for Claude, Anthropic’s popular AI assistant. They buy Google sponsored ads that show the real claude.ai domain — so the link looks completely legitimate. When clicked, the ad opens a publicly shared Claude.ai chat that impersonates Apple Support and instructs the visitor to paste a shell command into their Mac’s Terminal app.
That command silently downloads and runs MacSync, an infostealer that harvests saved browser passwords, cookies, and the macOS Keychain (where your Wi-Fi passwords and saved logins live), then sends everything to attacker-controlled servers. Because the malware runs entirely in memory rather than saving files to disk, it is hard for standard antivirus tools to catch.
How to check if you’re affected
Affected devices are any Mac where you recently searched for “Claude” on Google, clicked a sponsored result, and then followed instructions to open the Terminal and paste a command. If that describes you:
- Open Keychain Access (search for it with Spotlight) and look for any unfamiliar entries added in the past few days.
- Change your most important passwords — email, banking, social media — from a different, unaffected device.
- Run a scan with Malwarebytes for Mac (free version) to check for lingering persistence.
Going forward: never paste commands from a web page into Terminal, and always reach software by typing the developer’s URL directly — never by clicking Google sponsored results.