AMOS macOS Stealer

OpenAI revokes Mac app certificate after Axios supply chain incident

News, Research, Risk, Vendors

April 14, 2026

OpenAI said a GitHub Actions workflow used to sign its Mac apps downloaded a malicious Axios package on March 31. The company is revoking the certificate, but said it found no evidence of data or system compromise.
Atomic Stealer campaign abuses macOS Script Editor in ClickFix variation

Cybercrime, News, Research, Risk

April 9, 2026

A new macOS malware campaign is using Script Editor in a ClickFix-style attack to deliver Atomic Stealer, avoiding Terminal prompts and relying on fake Apple-themed pages that push users to run malicious code.
Microsoft warns Python-based infostealers are targeting macOS via malvertising and fake installers

Cybercrime, News, Research

February 5, 2026

Microsoft warned in a technical analysis that Python-based infostealers have expanded to macOS since late 2025. Campaigns use malvertising, fake DMG installers, and fileless techniques to steal credentials and iCloud Keychain data.
GlassWorm fourth wave targets macOS with trojanized crypto wallets in VS Code extensions

News, Research, Vulnerabilities

January 2, 2026

A fourth GlassWorm wave is targeting macOS developers with trojanized VS Code and OpenVSX extensions that steal credentials and attempt to replace hardware wallet apps. More than 33,000 installs were recorded.
Jamf finds MacSync macOS stealer delivered in signed, notarized Swift installer

Cybercrime, Research, Vendors, Vulnerabilities

December 26, 2025

Jamf researchers found a MacSync macOS stealer variant delivered in a code-signed, notarized Swift installer inside a DMG that could bypass Gatekeeper; Apple revoked the signing certificate and analysis links the payload to the rebranded Mac.c infostealer with remote command-and-control capabilities.
MacSync Stealer shifts to signed Swift dropper, removing need for terminal commands

Cybercrime, News, Research, Risk, Vulnerabilities

December 23, 2025

MacSync Stealer operators now distribute a code-signed, notarized Swift dropper inside a disk image, removing the need for terminal interaction. The change has enabled rapid infections of macOS systems since mid-2025.
Researchers find 10 typosquatted npm packages delivering cross‑platform credential stealer

Cybercrime, Research, Risk, Vulnerabilities

October 29, 2025

Researchers reported a set of 10 typosquatted npm packages, uploaded on July 4, 2025 and downloaded over 9,900 times, that deploy an obfuscated, multi-stage information stealer which harvests credentials from browsers and system keyrings on Windows, Linux and macOS.
Mac ad campaign impersonating brands pushes macOS credential stealer, LastPass warns

Cybercrime, News, Privacy, Risk

September 23, 2025

Security researchers warn of a malvertising campaign that uses search ads to impersonate LastPass and other services, delivering the Atomic Stealer/Amos Stealer on macOS via fraudulent GitHub pages; LastPass says takedowns are underway and IoCs are shared.
VirusTotal flags 44 undetected SVGs in Colombian phishing campaign; hundreds of SVGs detected in the wild

Cybercrime, News, Risk, Vulnerabilities

September 5, 2025

VirusTotal has flagged a new malware campaign using 44 undetected SVG files to phish as Colombia’s Fiscalía General de la Nación, injecting a Base64-encoded HTML page and triggering a hidden ZIP download. Overall SVG detections in the wild have reached 523, with earliest samples dating to August 14, 2025.