Jamf
-
North Korean linked actors use malicious VS Code projects to deploy backdoor
Jamf reported North Korean linked actors abused Visual Studio Code task files to execute obfuscated JavaScript that fetches backdoors and enables remote code execution targeting developers who clone and open repositories.
-
Jamf finds MacSync macOS stealer delivered in signed, notarized Swift installer
Jamf researchers found a MacSync macOS stealer variant delivered in a code-signed, notarized Swift installer inside a DMG that could bypass Gatekeeper; Apple revoked the signing certificate and analysis links the payload to the rebranded Mac.c infostealer with remote command-and-control capabilities.
-
MacSync Stealer shifts to signed Swift dropper, removing need for terminal commands
MacSync Stealer operators now distribute a code-signed, notarized Swift dropper inside a disk image, removing the need for terminal interaction. The change has enabled rapid infections of macOS systems since mid-2025.
