This post covers active threat research. IOCs are sourced from Sophos (published March 2026). Verify independently before use in detection rules.
What’s New This Week
Pillar Security published a mapping of at least 20 distinct malware campaigns targeting AI and vibe coding tools between February and March 2026. Nine target both Windows and macOS; seven are macOS-exclusive. The MacSync campaigns documented here are part of a broader pattern of attackers specifically going after developer toolchains.
Changelog
| Date | Summary |
|---|---|
| 16 Mar 2026 | Initial publication covering three ClickFix/MacSync campaign waves and the Claude Code impersonation vector. |
The install command looked legitimate. It was the kind of thing developers run every day. Open Terminal, paste this, enter your password. That was it – keychain gone, credentials exfiltrated, seed phrases harvested.
That’s the core of three ClickFix campaigns that have been delivering MacSync infostealer to macOS users since November 2025. What makes these campaigns worth paying attention to is not the malware itself – it’s what the attackers figured out about developer psychology. The Claude Code impersonation variant isn’t a clever trick. It’s a precise exploitation of a conditioned reflex that most engineers don’t even know they have.
What ClickFix Is
ClickFix is a social engineering mechanic, not a specific piece of malware. The attack presents users with instructions – typically formatted as troubleshooting steps, installation guides, or verification challenges – that include a Terminal or PowerShell command to copy and run. The user does the executing. No exploit, no drive-by download, no zero-day. Just a human following instructions.
Traditional ClickFix attacks manufactured a reason to run a command: a fake CAPTCHA, a simulated system error, a bogus browser update prompt. The user had to be convinced there was a problem requiring their input. Push Security’s name for the developer-targeted variant – InstallFix – captures what changed: the pretext is now simply that the user wants to install legitimate software. No manufactured crisis required.
Three Waves, November 2025 to February 2026
The three MacSync campaigns document a threat actor (or actors – Sophos explicitly notes these waves haven’t been attributed to a single group) iterating on the formula.
November 2025. A fake “OpenAI Atlas browser” distributed via Google sponsored search results. The ad led to a Google Sites URL with a download button that, when clicked, displayed Terminal instructions. Running the command downloaded a shell script that prompted for a system password and executed MacSync with user-level permissions. The target was general macOS users searching for AI browser tools.
December 2025. A more sophisticated malvertising campaign targeting searches like “how to clean up your Mac.” This wave used real ChatGPT conversations – hosted on openai.com – as a redirect layer. The links in Google ads pointed to legitimate ChatGPT conversations, which then redirected to malicious GitHub-themed landing pages. The domain inspection that most users do – “is this URL safe?” – passed, because the URL was actually openai.com. The malicious redirect was in the conversation content, not the address bar. Jamf Threat Labs also flagged this campaign independently.
February 2026. Targeting Belgium, India, and parts of North and South America, this wave introduced technical upgrades: dynamic AppleScript payloads and in-memory execution. The shell script contacts a hard-coded server, retrieves the infostealer payload, executes it entirely in memory, and then removes evidence of the data theft. More on why that last detail matters shortly.
The Claude Code Impersonation
The most recent development is the one most relevant to developers: ClickFix lures hosted on Cloudflare Pages, Squarespace, and Tencent EdgeOne that specifically impersonate installation instructions for Anthropic’s Claude Code. The URLs are distributed via malicious Google search ads targeting developers who search for Claude Code.
This is not a coincidence of target. The attackers chose Claude Code because the legitimate installation workflow for Claude Code – and for most AI developer tools – involves exactly the Terminal-based steps the lure mimics. There is no Mac App Store listing. The official install path is npm, pip, or a curl command from the documentation. The fake instructions don’t need to look unusual because the real instructions look the same way.
Push Security documented the same pattern under the name InstallFix. Pillar Security mapped at least 20 campaigns targeting AI and vibe coding tools in just a six-week window. The attack surface here isn’t a vulnerability – it’s the entire AI tooling ecosystem and the install patterns it has normalised.
The Terminal Trust Problem
Normal users are scared of Terminal. Developers are not. That asymmetry is the attack.
Social engineering works by exploiting conditioned responses. Developers are conditioned, through years of legitimate practice, to:
- Run
curl | shinstallers without reading them (Homebrew, Rust, nvm all use this pattern) - Paste install commands from GitHub READMEs and Discord channels
- Enter their system password when an install script asks for it
- Trust that if the source looks legitimate, the command is fine
Each of these habits is individually reasonable in the right context. Aggregated, they create a developer who is less suspicious of Terminal commands than a non-developer is – not more. The attack doesn’t need to overcome security awareness training. It needs to look like a normal workday task.
As Eilon Cohen at Pillar Security put it: “The ClickFix/InstallFix technique is uniquely effective against developers because curl | sh is a legitimate installation pattern. Homebrew, Rust, nvm, and many other developer tools use this exact pattern. The malicious commands hide in plain sight.”
This connects to a broader pattern of attacks that use trusted channels as the delivery mechanism – where the trustworthiness of the channel is precisely what makes the payload hard to detect. The Wave 2 ChatGPT conversation trick is the same principle applied at the URL level.
What MacSync Actually Takes
MacSync is an infostealer. What it steals matters more than the name.
From compromised hosts, MacSync exfiltrates: credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.
The keychain item is the one that matters most for developers. macOS Keychain stores saved passwords, certificates, API keys, SSH key passphrases, signing certificates, and app-specific tokens. For a developer, Keychain is a comprehensive credential store for every service they’ve authenticated to – cloud providers, code signing infrastructure, internal tools, personal accounts. A single Keychain dump is typically worth more than any individual credential in it.
Crypto seed phrases are the second target. Seed phrase exfiltration is a total loss – there is no recovery path once an attacker has your seed phrase.
This is the credential theft chain made efficient. One shell script, one password prompt, one Keychain dump.
The In-Memory Evolution
Wave 3’s technical upgrade to in-memory AppleScript execution is worth understanding as an incident response problem.
Traditional malware drops a file. When you investigate a compromise, you look for the file. Behavioral detection tools watch for suspicious processes writing to disk. Forensic reconstruction follows the filesystem trail.
In-memory execution breaks all of that. The AppleScript payload is retrieved over the network, executed in memory, and the evidence of the data theft is removed before the process exits. There is no file to find. By the time incident response starts – if it starts at all, given that MacSync is designed not to announce itself – the payload has run, the data is gone, and the artefacts have been cleaned up.
This is the same direction that supply chain attacks targeting invisible components have taken: make detection harder by making the attack leave less to detect. The Wave 3 upgrade isn’t a new capability for the malware ecosystem broadly, but its adoption in a mass-distribution macOS campaign signals that the tooling is accessible enough to be worth including in a commodity infostealer.
Sophos notes: the variant “likely represents the malware developer adjusting to OS and software security measures to maintain effectiveness.” That’s a reasonable reading. It also means the detection window – between infection and discovery – is shorter than it was.
Six Checks Before Running Any Installer
If you install AI developer tools regularly, this attack is targeting your workflow specifically. Six concrete checks:
Go to the source directly. If you’re installing Claude Code, the URL is anthropic.com or the official GitHub repo. Not a search ad result. Not a pages.dev URL. Bookmark official install docs.
Verify the domain before you trust the page. openai.com is not automatically safe if the content on the page is redirecting you somewhere else. Check where links actually go, not just the top-level domain.
Treat any install instruction via a web page as suspicious by default. Legitimate tools have official documentation. If the install instructions you found are on a page you reached via a Google ad, that’s a signal worth pausing on.
Never enter your system password for a script from a search result. Legitimate installers that need elevated permissions will use official system prompts. A shell script that prompts for your password in Terminal should raise your suspicion immediately.
Enable Gatekeeper and notarisation checks. macOS Gatekeeper won’t catch a shell script, but it’s a useful layer for anything that lands as a binary. Keep it on, don’t disable it because something prompted you to.
Check the Sophos MacSync IOCs. If you have endpoint detection, run them. If you don’t have endpoint detection, that’s the longer conversation to have.
The Closing Point
The attack doesn’t need to be sophisticated. It needs to be plausible. And for a developer who installs AI tools every week – Claude Code, Cursor, Windsurf, MCP servers, various LLM CLI wrappers – a fake Claude Code install page served via a Google ad is very plausible indeed.
The reason this works is not that developers are careless. It’s that the legitimate workflow and the malicious workflow look identical from the outside. The trust boundaries in AI agent pipelines are a known problem in production systems; the same problem exists in the install flows that build those systems. An attacker who understands developer habits doesn’t need a zero-day. They just need a convincing README.