I thought MacBooks were relatively safer than other laptops, but I was proven wrong. It’s baffling and patently wrong. A new report from Sophos X-Ops spared no effort in rubbing my nose.
The company’s researchers tracked three separate attack campaigns between November 2025 and February 2026, all of which targeted macOS users using something called the MacSync infostealer. To catch up, it’s a type of malware that acts like a digital pickpocket by silently combing through your passwords and stored credentials.
So how does it actually work?
The malware used a delivery method called ClickFix, which required minimal technical effort. All the victim has to do is copy and paste the command into a Mac Terminal (designed to launch and execute text-based commands) and press Enter on their keyboard.
First, the malicious actors used a fake OpenAI download page distributed via sponsored ads from Google (located directly above the legitimate link). The attackers then began sharing behind-the-scenes ChatGPT shared conversations disguised as “useful Mac guides.”
The guide directed users to a fake GitHub page with carefully written software installation instructions, but actually asked users to copy terminal commands to allow ManSync infostealer to work in the background. That’s it; That’s what the attack is all about.
How bad has it gotten?
Sophos found that as of December 2025, malicious actors had routed more than 50,000 clicks from these malicious domains. A “click” means that someone copied a malicious terminal command, but it doesn’t necessarily mean that the malware was successfully installed. The actual number of infected people may be lower.
Developers made another change to the attack method in February 2026, allowing it to run silently in the background, bypassing capable macOS security tools such as Gatekeeper and XProtect. You can patch the 24-word master key of your ledger cryptocurrency wallet in a very practical way.
The company reported that clusters of infections were active in key markets, including North America, South America, and parts of India, in the weeks leading up to the publication of its latest article (possibly as late as early March).
Moreover, the idea that “Macs are safe” is simply not true, at least not for the time being. As AI platforms grow in popularity and, more importantly, gain the trust of millions of users, malicious actors are devising new ways to leverage LLM-based tools. We do not recommend pasting text-based commands into Mac Terminal at this time.