Security researchers at SlowMist have issued a fresh alert on an active variant of the MacSync Stealer, a macOS infostealer that continues to evolve and pose serious risks to cryptocurrency holders, developers, and anyone storing sensitive credentials on Apple computers.
The warning, posted Wednesday on X by the blockchain security firm, highlights version 1.1.2 of the malware, which steals crypto wallets, browser data, system Keychains, and infrastructure credentials such as SSH keys, AWS access, and Kubernetes configurations.
According to SlowMist, the stealer relies on fake AppleScript dialogs that mimic legitimate macOS prompts to trick users into entering their login passwords. Once credentials are harvested, it displays a bogus “not supported” error message to throw victims off the scent while quietly exfiltrating the data.
MacSync operates as Malware-as-a-Service (MaaS), meaning its developers lease the tool to other cybercriminals rather than deploying it themselves. This business model has fueled its spread across multiple campaigns since it first gained attention in 2025.
Earlier versions often arrived through social engineering tricks like ClickFix-style fake CAPTCHAs or SEO-poisoned search results that led users to malicious sites. More recent iterations have grown sophisticated, sometimes delivered via code-signed and notarized Swift applications disguised as legitimate installers—tactics that temporarily bypassed Apple’s Gatekeeper protections before certificates were revoked.
In this latest build, researchers note the malware’s focus on high-value targets. It doesn’t just grab browser cookies or saved passwords; it goes after desktop crypto wallets, Telegram data, and even development environment secrets that could open doors to cloud infrastructure or private networks.
The use of deceptive system dialogs is particularly insidious because many macOS users have been trained to trust password prompts from AppleScript or system processes.
SlowMist emphasized that the threat is “highly destructive,” with some users already reporting asset losses in related incidents. The firm’s MistEye threat intelligence platform received community tips about the active campaign and quickly shared indicators of compromise (IOCs) with clients.Â
While specific hashes and domains for v1.1.2 were not detailed in the public post, previous analyses of MacSync variants have pointed to temporary staging paths like /tmp/sync[random]/, exfiltration archives such as /tmp/osalogging.zip, and suspicious network callbacks.
How the Attack Typically Unfolds
Victims are often lured through unverified downloads—fake software updates, messaging app installers, or browser extensions hosted on shady domains. Once the payload runs, it may perform connectivity checks to avoid sandboxed environments, then deploy obfuscated scripts that decode and execute the stealer.
The fake password prompt is the critical social engineering step: users who comply unwittingly unlock their own Keychain, handing over a treasure trove of saved credentials.
After exfiltration, the malware attempts to cover its tracks, sometimes wiping temporary scripts or displaying error messages to make the incident look like a benign compatibility issue.
Who is at risk?
While MacSync has hit regular consumers, researchers have observed campaigns targeting U.S. state, local, tribal, and territorial (SLTT) government users, as well as enterprise environments. Crypto enthusiasts and blockchain developers appear to be prime targets given the malware’s emphasis on wallet data and infrastructure keys.
Apple has improved macOS defenses over the years, but signed malware and clever social engineering continue to find cracks. Notarization and code-signing provide a false sense of security when users download from untrusted sources.
What users should do
SlowMist offered clear remediation advice for anyone who suspects exposure:
- Avoid running unverified scripts or entering passwords into unexpected prompts.
- If compromise is suspected, immediately rotate all infrastructure credentials (SSH, AWS, Kubernetes, etc.).
- Invalidate and recreate affected Keychains.
- Migrate cryptocurrency assets to new, secure wallets not linked to the compromised device.
- Monitor for unusual network activity or files in /tmp directories.
Broader prevention includes keeping macOS and security tools updated, using a reputable antivirus or endpoint detection solution capable of spotting macOS-specific threats, and exercising caution with downloads—even those that appear to come from familiar-looking sites.
MacSync is far from the only macOS stealer in circulation. Variants linked to families like AMOS or delivered through fake updates show that threat actors are investing heavily in Apple platforms as adoption grows in professional and crypto circles.
Security firms continue to track the malware’s rapid adaptations. As one researcher noted in earlier analyses, MacSync’s developers treat it like a commercial product, iterating quickly based on what evades detection.
The crypto ecosystem on risk
The SlowMist warning lands at a particularly tense moment for the cryptocurrency sector, as DeFi platforms have absorbed heavy blows from a string of high-profile incidents over the past few weeks.
On April 1, Solana-based perpetuals exchange Drift Protocol lost approximately $285 million in what investigators linked to a sophisticated, six-month social engineering campaign reportedly tied to North Korean actors, who gained admin access through compromised multisig approvals and drained more than half the protocol’s total value locked in minutes.
Another major breach happened just days ago, on April 19, with liquid restaking protocol Kelp DAO suffered an even larger breach when attackers exploited a vulnerability in its LayerZero-powered bridge. This led to draining roughly 116,500 rsETH worth about $293 million—the biggest single DeFi exploit of 2026 so far—before using the stolen tokens as collateral on lending platforms and triggering emergency pauses and contagion across the DeFi ecosystem.
These headline-grabbing protocol-level exploits have been accompanied by a surge in phishing attacks and credential-stealing campaigns that target individual users and developers, many of whom hold the private keys, seed phrases, or infrastructure credentials that could amplify losses if compromised.
With over $600 million drained from DeFi protocols in April alone, the industry finds itself confronting not only smart-contract and bridge weaknesses but also the persistent human element: everyday macOS users running unverified scripts or falling for deceptive prompts that could hand attackers the keys to wallets, Keychains, and cloud environments.
For now, the message from SlowMist is straightforward: stay vigilant, question every password request, and treat unexpected macOS dialogs with skepticism. In an era where a single compromised Keychain can expose wallets, cloud accounts, and more, that extra moment of caution could prevent significant losses.
Also read: THORChain Volume Surges 18x as KelpDAO Hacker Routes $80M in ETH to Bitcoin
